Spring SAML握手失败 - 无法针对可信密钥验证不受信任的凭据

时间:2014-10-24 19:08:37

标签: java spring spring-security spring-saml

我正在使用Spring Security SAML扩展程序与ACA医疗保健(也称为Obamacare)网站集成。它使用IDP启动的SSO。 SAML握手失败,出现以下输出

org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider] Single certificate was present, treating as end-entity certificate
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver] Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver] A total of 1 credentials were resolved
org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry] Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
org.opensaml.xml.signature.SignatureValidator] Attempting to validate signature using key from supplied credential
org.opensaml.xml.signature.SignatureValidator] Creating XMLSignature object
org.opensaml.xml.signature.SignatureValidator] Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
org.opensaml.xml.signature.SignatureValidator] Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
org.opensaml.xml.signature.SignatureValidator] Signature validated with key from supplied credential
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Signature validation using candidate credential was successful
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Successfully verified signature using KeyInfo-derived credential
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Attempting to establish trust of KeyInfo-derived credential
org.opensaml.xml.security.trust.ExplicitKeyTrustEvaluator] Failed to validate untrusted credential against trusted key
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to establish trust of KeyInfo-derived credential
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine] Attempting to verify signature using trusted credentials
org.opensaml.xml.signature.SignatureValidator] Attempting to validate signature using key from supplied credential
org.opensaml.xml.signature.SignatureValidator] Creating XMLSignature object
org.opensaml.xml.signature.SignatureValidator] Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
org.opensaml.xml.signature.SignatureValidator] Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
org.apache.xml.security.signature.XMLSignature] Signature verification failed.
org.opensaml.xml.signature.SignatureValidator] Signature did not validate against the credential's key
org.opensaml.xml.signature.impl.BaseSignatureTrustEngine] Signature validation using candidate validation credential failed
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
    at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79)

我的securityContext具有以下内容:

    <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:${MC_METADATA}</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool" />
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <map>
                        <entry key="${MC_ALIAS_1}">
                            <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                                <property name="local" value="true" />
                                <property name="alias" value="${MC_ALIAS_1}" />
                                <property name="securityProfile" value="metaiop" />
                                <property name="requireArtifactResolveSigned" value="false" />
                                <property name="requireLogoutRequestSigned" value="false" />
                                <property name="requireLogoutResponseSigned" value="false" />
                                <property name="idpDiscoveryEnabled" value="false" />
                            </bean>
                        </entry>

                    </map>
                </constructor-arg>
            </bean>
        </list>
    </constructor-arg>
    <property name="defaultExtendedMetadata">
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
            <property name="local" value="true" />
            <property name="alias" value="${MC_ALIAS_1}" />
            <property name="securityProfile" value="metaiop" />
            <property name="requireArtifactResolveSigned" value="false" />
            <property name="requireLogoutRequestSigned" value="false" />
            <property name="requireLogoutResponseSigned" value="false" />
            <property name="idpDiscoveryEnabled" value="false" />
        </bean>
    </property>
    <property name="hostedSPName" value="${MC_ALIAS_1}" />
</bean>

传入的SAML包含X509Certificate,我已将其复制到签名下的元数据文件中。我也尝试将'metadataTrustCheck'添加为false但仍然是相同的错误。通过HTTPS进行通信,我的测试服务器(接收SAML)使用自签名证书。

关于可能遗漏/错误的任何想法?

1 个答案:

答案 0 :(得分:2)

通常,将证书添加到IDP的元数据中会使其受到Spring SAML的信任,因此您的方法是正确的。以下其中一项可能会导致您遇到的问题:

  • $ {MC_ALIAS_1}元数据可能是您的IDP元数据,但您当前正在将其导入,就像它是SP元数据一样 - 您使用的是元数据生成器,还是这是您预先配置的SP元数据?
  • 您已将IDP邮件中找到的证书导入您的SP元数据,而需要将其导入IDP元数据才能获得信任

发布您正在接收的SAML消息,您的完整配置xml(而不仅仅是一个代码段)可以让您更轻松地进行故障排除。

相关问题
最新问题