使用Apache CXF为Java中的Azure Pack获取安全令牌

Question

I am trying to write code in Java that can obtain a Security Token from the STS for Azure Pack, which I can then use to authenticate calls to the Azure Pack APIs. Here is example code that Microsoft provides (which works) for obtaining this token in C#:

        string windowsAuthSiteEndPoint = EnvironmentToUse + ":30072";
        var identityProviderEndpoint = new EndpointAddress(new Uri(windowsAuthSiteEndPoint + "/wstrust/issue/windowstransport"));
        var identityProviderBinding = new WS2007HttpBinding(SecurityMode.Transport);
        identityProviderBinding.Security.Message.EstablishSecurityContext = false;
        identityProviderBinding.Security.Message.ClientCredentialType = MessageCredentialType.None;
        identityProviderBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;

        var trustChannelFactory = new WSTrustChannelFactory(identityProviderBinding, identityProviderEndpoint)
        {
            TrustVersion = TrustVersion.WSTrust13,
        };

        var channel = trustChannelFactory.CreateChannel();
        var rst = new RequestSecurityToken(RequestTypes.Issue)
        {
            AppliesTo = new EndpointReference("http://azureservices/AdminSite"),
            KeyType = KeyTypes.Bearer,
        };

        RequestSecurityTokenResponse rstr = null;
        SecurityToken token = null;
        token = channel.Issue(rst, out rstr);

Here is what I currently have in Java, where I am attempting to do the same thing:

    import org.apache.cxf.Bus;
    import org.apache.cxf.bus.spring.SpringBusFactory;
    import org.apache.cxf.sts.STSConstants;
    import org.apache.cxf.ws.security.SecurityConstants;
    import org.apache.cxf.ws.security.tokenstore.SecurityToken;
    import org.apache.cxf.ws.security.trust.STSClient;

    SpringBusFactory springBusFactory = new SpringBusFactory();
    Bus bus = springBusFactory.createBus();

    STSClient stsClient = new STSClient(bus);
    stsClient.setLocation("https://" + endpoint + ":30072/wstrust/issue/windowstransport");
    stsClient.setServiceName("{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService");
    stsClient.setEndpointName("{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}WS2007HttpBinding_IWSTrust13Sync");
    stsClient.setKeyType(STSConstants.BEARER_KEY_KEYTYPE);
    stsClient.isEnableAppliesTo();

    bus.setProperty(SecurityConstants.STS_CLIENT, stsClient);
    bus.setProperty(SecurityConstants.STS_APPLIES_TO, "http://azureservices/AdminSite");

    SecurityToken securityToken = stsClient.requestSecurityToken();

I get a 401 Unauthorized HTTP response when running my Java test code:

    Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '401: Unauthorized' when communicating with https://endpoint:30072/wstrust/issue/windowstransport

It looks like I'm missing the following pieces of functionality when attempting to recreate what the C# code does, but I can't figure out what the equivalent of the following code would be in Java/using the Apache CXF library:

1) identityProviderBinding.Security.Message.EstablishSecurityContext = false;

2) identityProviderBinding.Security.Message.ClientCredentialType = MessageCredentialType.None;

3) identityProviderBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;

It's also possible I'm doing other things wrong as well. Any thoughts or suggestions?

Answer 1

Have you tried using management certificates to authenticate your requests instead of security tokens. https://msdn.microsoft.com/en-us/library/azure/ee460782.aspx#bk_cert has information on how to do it in Azure, but it should not differ much for Azure Pack.