在解密Saml令牌时获取错误

时间:2015-05-20 06:11:28

标签: java spring-security saml-2.0 adfs2.0 spring-saml

我在解密saml令牌时遇到错误。但是,重新启动服务器后,此问题不一致。它工作正常直到昨晚:(

DEBUG Decrypter:631 - Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed:
        org.opensaml.xml.encryption.DecryptionException: Probable runtime exception on decryption:unknown parameter type.
            at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:705)
            at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628)
            at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783)
            at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524)
            at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442)
            at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403)
            at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
            at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
            at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199)
            at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
            at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
            at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
            at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
            at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
            at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
            at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
            at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
            at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:745)
        Caused by: java.lang.IllegalArgumentException: unknown parameter type.
            at org.bouncycastle.jce.provider.JCERSACipher.engineInit(Unknown Source)
            at javax.crypto.Cipher.implInit(Cipher.java:791)
            at javax.crypto.Cipher.chooseProvider(Cipher.java:849)
            at javax.crypto.Cipher.init(Cipher.java:1348)
            at javax.crypto.Cipher.init(Cipher.java:1282)
            at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1475)
            at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697)
            ... 41 more
        09:21:51,120 ERROR Decrypter:639 - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
        09:21:51,120 DEBUG Decrypter:787 - Attempt to decrypt EncryptedData using key extracted from EncryptedKey faile

早些时候我得到了invalide密钥大小错误,我在帮助下修复了 Spring SAML ADFS: java.security.InvalidKeyException。但我不确定它是否会对美国的安全政策法产生任何影响。

但是这个解密异常没有得到解决而且不一致。有一段时间它在重新启动服务器后开始工作。

我在最后2-3天尝试了每一件事。我认为问题发生在元数据刷新之后,所以我尝试将下面的属性添加到R​​esourceBackedMetadataProvider bean但没有运气。

<property name="parserPool" ref="parserPool"/>
<property name="minRefreshDelay" value="120000"/>
<property name="maxRefreshDelay" value="300000"/>

然后我调试WebSSOProfileConsumerImpl.java代码,认为这个问题与jira有关,所以我检查了最新代码并创建了新jar并添加到我的项目中但没有运气。

1 个答案:

答案 0 :(得分:2)

在调试和谷歌搜索上花了一个星期后,我决定用一点点黑客来解决这个问题。

我从gitHub Repository的Master分支检查了Spring-Saml源代码并构建jar并将其导入到我的项目中。我认为这个SES-144问题与我的问题类似,所以我尝试使用最新代码,但没有运气。

因此,我决定调试xmlTooling.jar代码并找到确切的失败点,并使用以下代码覆盖decryptKey(EncryptedKey encryptedKey, String algorithm)中的以下方法XMLCipher.java

Cipher c = constructCipher(encryptedKey.getEncryptionMethod()
                    .getAlgorithm(), encryptedKey.getEncryptionMethod()
                    .getDigestAlgorithm());

Instead of calling 
    c.init(4, key, oaepParameters);
used below code and removed if/else block
    c.init(4, key);

您可以从github

结帐自定义广告罐

您需要使用pom.xml文件中的以下行更新saml依赖项以使用此自定义jar

<dependency>
    <groupId>org.springframework.security.extensions</groupId>
    <artifactId>spring-security-saml2-core</artifactId>
    <version>1.0.1.RELEASE</version>

    <exclusions>
            <exclusion>
                    <artifactId>xmlsec</artifactId>
                    <groupId>org.apache.santuario</groupId>
            </exclusion>
    </exclusions>
</dependency>

<dependency>
    <artifactId>xmlsec</artifactId>
    <groupId>org.apache.santuario</groupId>
    <version>1.5.6-custom</version>
</dependency>

如果有人找到更好的解决方案,请告诉我。