我正在配置一个接收来自adfs的请求的saml应用。我想使用自定义URL来接收请求。这是我的配置:
<http servlet-api-provision="false" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true" >
<custom-filter position="FORM_LOGIN_FILTER" ref="memberAuthenticationFilter" />
<custom-filter position="PRE_AUTH_FILTER" ref="samlFilter" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<anonymous granted-authority="ROLE_ANONYMOUS" username="ANONYMOUS" />
<access-denied-handler error-page="/login/index.htm"/>
</http>
<beans:bean id="ssoAuthenticationFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationFailureHandler">
<beans:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="${ssoNonMemberRedirectUrl}" />
</beans:bean>
</beans:property>
<beans:property name="filterProcessesUrl" value="/auth.htm"/>
</beans:bean>
<beans:bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<filter-chain-map request-matcher="ant">
<filter-chain pattern="/auth.htm" filters="ssoAuthenticationFilter"/>
<filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
</filter-chain-map>
</beans:bean>
<beans:bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
<beans:property name="userDetails">
<beans:bean class="com.wigitsrus.wigits.security.MemberDetailsService" />
</beans:property>
</beans:bean>
<context:component-scan base-package="org.springframework.security.saml"/>
<beans:bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/>
<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
<beans:bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<beans:bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<beans:property name="entityId" value="http://wigitsrus.com"/>
<beans:property name="signMetadata" value="false"/>
<beans:property name="entityBaseURL" value="https://wigitsrus.com/wigits"/>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<!-- Do no forget to call iniitalize method on providers -->
<beans:bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<beans:constructor-arg>
<beans:bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<beans:constructor-arg>
<beans:value type="java.io.File">classpath:com/wigitsrus/wigits/security/saml/FederationMetadata.xml</beans:value>
</beans:constructor-arg>
<beans:property name="parserPool" ref="parserPool"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<beans:property name="alias" value="http://theidp.com"/>
<beans:property name="requireArtifactResolveSigned" value="false"/>
<beans:property name="requireLogoutRequestSigned" value="false"/>
<beans:property name="requireLogoutResponseSigned" value="false"/>
<beans:property name="idpDiscoveryEnabled" value="false"/>
</beans:bean>
</beans:constructor-arg>
<beans:property name="metadataTrustCheck" value="false"/>
</beans:bean>
</beans:list>
</beans:constructor-arg>
<beans:property name="defaultIDP" value="http://theidp.com"/>
<beans:property name="refreshCheckInterval" value="0"/>
</beans:bean>
<!-- Provider of default SAML Context -->
<beans:bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
<beans:property name="scheme" value="https"/>
<beans:property name="serverName" value="wigitsrus.com"/>
<beans:property name="serverPort" value="443"/>
<beans:property name="includeServerPortInRequestURL" value="false"/>
<beans:property name="contextPath" value="/wigits"/>
</beans:bean>
<!-- Logout handler terminating local session -->
<beans:bean id="logoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<beans:property name="invalidateHttpSession" value="false"/>
</beans:bean>
<!-- Override default logout processing filter with the one processing SAML messages -->
<beans:bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<beans:constructor-arg index="0">
<beans:bean class="com.wigitsrus.wigits.security.MemberLogoutSuccessHandler"/>
</beans:constructor-arg>
<beans:constructor-arg index="1" ref="logoutHandler"/>
<beans:constructor-arg index="2" ref="logoutHandler"/>
</beans:bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<beans:bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<beans:constructor-arg index="0">
<beans:bean class="com.wigitsrus.wigits.security.MemberLogoutSuccessHandler"/>
</beans:constructor-arg>
<beans:constructor-arg index="1" ref="logoutHandler"/>
</beans:bean>
<!-- Class loading incoming SAML messages from httpRequest stream -->
<beans:bean id="samlProcessor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<beans:constructor-arg>
<beans:list>
<beans:ref bean="redirectBinding"/>
<beans:ref bean="postBinding"/>
<beans:ref bean="artifactBinding"/>
<beans:ref bean="soapBinding"/>
<beans:ref bean="paosBinding"/>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<!-- SAML 2.0 WebSSO Assertion Consumer -->
<beans:bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<beans:bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 Web SSO profile -->
<beans:bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<beans:bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 ECP profile -->
<beans:bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>
<!-- SAML 2.0 Logout Profile -->
<beans:bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<beans:bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<beans:constructor-arg ref="parserPool"/>
<beans:constructor-arg ref="velocityEngine"/>
</beans:bean>
<beans:bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<beans:constructor-arg ref="parserPool"/>
</beans:bean>
<beans:bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<beans:constructor-arg ref="parserPool"/>
<beans:constructor-arg ref="velocityEngine"/>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
<beans:constructor-arg>
<beans:bean class="org.apache.commons.httpclient.HttpClient">
<beans:constructor-arg>
<beans:bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
<beans:property name="processor">
<beans:bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<beans:constructor-arg ref="soapBinding"/>
</beans:bean>
</beans:property>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
<beans:constructor-arg ref="parserPool"/>
</beans:bean>
<beans:bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
<beans:constructor-arg ref="parserPool"/>
</beans:bean>
<!-- Initialization of OpenSAML library-->
<beans:bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- Initialization of the velocity engine -->
<beans:bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>
<!-- XML parser pool needed for OpenSAML parsing -->
<beans:bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
<beans:bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
<!-- Central storage of cryptographic keys -->
<beans:bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<beans:constructor-arg value="classpath:/com/wigitsrus/wigits/security/saml/sso-test.jks"/>
<beans:constructor-arg value="${keystore.password}"/>
<beans:constructor-arg>
<beans:map>
<beans:entry key="${private.key.alias}" value="${keystore.password}" />
</beans:map>
</beans:constructor-arg>
<beans:constructor-arg value="${private.key.alias}"/>
</beans:bean>
我遇到的问题是: 带消息绑定的端点urn:oasis:names:tc:SAML:2.0:bindings:找不到HTTP-POST和过滤器URL /auth.htm
当我逐步浏览SAMLUtil.getEndpoint中的代码时,看起来应该匹配的端点是使用位置:https://www.wigitsrus.com/wigit/saml/SSO/alias/defaultAlias
如何设置post端点使用的location属性,使其与requestURL匹配?
答案 0 :(得分:1)
你应该做的是:
从https://wigitsrus.com/wigits/saml/metadata下载您当前生成的元数据并将其存储在(例如)classpath:com/wigitsrus/wigits/security/saml/sp.xml
手动修改文件并将Location元素中的AssertionConsumerService替换为https://wigitsrus.com/wigits/auth.htm
将元数据添加到CachingMetadataManager内的列表中,例如:
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:com/wigitsrus/wigits/security/saml/sp.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="alias" value="defaultAlias"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="sslHostnameVerification" value="default"/>
<property name="signMetadata" value="false"/>
<property name="requireArtifactResolveSigned" value="true"/>
<property name="requireLogoutRequestSigned" value="true"/>
</bean>
</constructor-arg>
</bean>
系统现在不再使用MetadataGenerator,并且应该期望SAML响应到达https://wigitsrus.com/wigits/auth.htm端点。
如果您愿意使用网址https://wigitsrus.com/wigits/auth.htm/alias/defaultAlias,那么您需要做的就是:
将元数据从https://wigitsrus.com/wigits/saml/metadata上传到IDP,AssertionConsumerServices应该已包含正确的网址
将filterChain更改为pattern="/auth.htm/**"