我正在尝试在securityContext.xml中配置IDP后运行我的服务器时遇到以下异常。
引起:org.opensaml.saml2.metadata.provider.FilterException:签名信任建立失败,无法进行元数据输入
我看到http://forum.spring.io/forum/spring-projects/security/saml/108450-getting-error-signature-trust-establishment-failed-for-metadata-entry链接中有一个解决方法,它通过在包含IDP元数据的ExtendedMetadataDelegate bean上将属性metadataTrustCheck设置为false来实现。
但我不想更新saml2核心api,而是可以在securityContext.xml中设置metadataTrustCheck。如果是这样,如何设置它。我尝试如下。但仍然得到同样的错误。
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/services/MyMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
我的MetadataManager定义如下:
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/services/FederationMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<constructor-arg>
<value type="java.lang.String">https://adfsserver1.com/FederationMetadata/2007-06/FederationMetadata.xml</value>
</constructor-arg>
<!-- Timeout for metadata loading in ms -->
<constructor-arg>
<value type="int">5000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/capital/FederationMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<constructor-arg>
<value type="java.lang.String">https://adfsserver2.com/FederationMetadata/2007-06/FederationMetadata.xml</value>
</constructor-arg>
<!-- Timeout for metadata loading in ms -->
<constructor-arg>
<value type="int">5000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</list>
</constructor-arg>
</bean>
请帮助解决这个问题。感谢。
答案 0 :(得分:2)
只有部分MetadataProviders被ExtendedMetadataDelegate包裹。您必须在每个metadataTrustCheck上将false标记设置为MetadataProvider,这应该跳过信任检查,而不仅仅是其中一些。按如下方式定义元数据提供程序,您的问题应该消失:
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/services/FederationMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<constructor-arg>
<value type="java.lang.String">
https://adfsserver1.com/FederationMetadata/2007-06/FederationMetadata.xml
</value>
</constructor-arg>
<!-- Timeout for metadata loading in ms -->
<constructor-arg>
<value type="int">5000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/capital/FederationMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<constructor-arg>
<value type="java.lang.String">
https://adfsserver2.com/FederationMetadata/2007-06/FederationMetadata.xml
</value>
</constructor-arg>
<!-- Timeout for metadata loading in ms -->
<constructor-arg>
<value type="int">5000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
</list>
</constructor-arg>
</bean>
答案 1 :(得分:1)
在Java Config版本中,在将信任检查标志设置为false后,我不得不针对metadataProvider对象手动调用initialize方法。
@SamlBeanAnnotation
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException, ResourceException {
List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
for (String file: getSamlProviders()) {
ResourceBackedMetadataProvider metadataProvider = new ResourceBackedMetadataProvider(new Timer(),
new org.opensaml.util.resource.ClasspathResource("/" + file.trim()));
metadataProvider.setParserPool(parserPool());
ExtendedMetadataDelegate extendedMetadataDelegate =
new ExtendedMetadataDelegate(metadataProvider, new ExtendedMetadata());
extendedMetadataDelegate.setMetadataTrustCheck(false);
extendedMetadataDelegate.setMetadataRequireSignature(false);
metadataProvider.initialize();
providers.add(metadataProvider);
}
CachingMetadataManager cachingMetadataManager= new CachingMetadataManager(providers);
return cachingMetadataManager;
}