Configure Spring Security SAML to use SHA-256 as secure hash algorithm

时间:2015-07-28 15:39:08

标签: spring-security spring-saml

I'm working on an integration between Spring SAML and Microsoft ADFS 3.0. Even it is already stated in the documentation of Spring SAML as:

Open the provider by double-clicking it, select tab Advanced and change "Secure hash algorithm" to SHA-1

that I understand that Spring SAML supports currently only SHA-1 as hash algorithm, but my requirement is using SHA-256. If I try configure only in ADFS for SHA-256, it doesn't work. I suppose that I have to do something with Spring SAML. Do you have any idea how to do so?

2 个答案:

答案 0 :(得分:5)

您应该将Spring安全配置配置为使用SHA-256签名算法。

您可以覆盖SAMLBootstrap或配置initializing bean,如下所示:

Spring配置

<bean id="samlProperties" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
    <property name="location" value="classpath:saml.properties" />
</bean>
<bean class="your.package.SAMLConfigurationBean">
    <property name="signatureAlgorithm" value="${saml.signatureAlgorithm:SHA1}" />
</bean>

属性文件(saml.properties)

saml.signatureAlgorithm=SHA256

初始化bean 

package your.package;

import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.signature.SignatureConstants;
import org.springframework.beans.factory.InitializingBean;

public class SAMLConfigurationBean implements InitializingBean {

    private String signatureAlgorithm ;
    private String digestAlgorithm;

    public void setSignatureAlgorithm(String algorithm) {
        switch (algorithm) {
            case "SHA256" :
                signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
                digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA256;
                break;
            case "SHA512" :
                signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512;
                digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA512;
                break;
            default:
                signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
                digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA1;
        }
    }

    @Override
    public void afterPropertiesSet() throws Exception {
        BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
        config.registerSignatureAlgorithmURI("RSA", signatureAlgorithm);
        config.setSignatureReferenceDigestMethod(digestAlgorithm);
    }
}

你也可以跳过可配置部分,然后解决这个问题:

初始化bean 

package your.package;

import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.signature.SignatureConstants;
import org.springframework.beans.factory.InitializingBean;

public class SAMLConfigurationBean implements InitializingBean {

    @Override
    public void afterPropertiesSet() throws Exception {
        BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
        config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
        config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
    }
}

答案 1 :(得分:1)

我建议参考这个GitHub示例项目:https://github.com/choonchernlim/spring-security-adfs-saml2

提供ADFS专用配置信息,并详细说明如何启用SHA-256签名。

相关问题
最新问题