Spring SAML签名验证问题

时间:2015-08-11 16:25:44

标签: java spring spring-security saml xml-signature

我尝试使用Spring SAML示例应用程序连接到Shibboleth IdP,但遇到了我无法解决的签名验证问题。

当示例应用程序从IdP获得响应时,将引发以下异常:

Caused by: org.opensaml.ws.security.SecurityPolicyException: Validation of protocol message signature failed
at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:138)
at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)
at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80)

包含

的日志 
- Creating XMLSignature object
- Validating signature with signature algorithm URI: http://www.w3.org   /2001/04/xmldsig-more#rsa-sha256
- Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
- Signature validated with key from supplied credential
- Signature validation using candidate credential was successful
- Successfully verified signature using KeyInfo-derived credential
- Attempting to establish trust of KeyInfo-derived credential
- Failed to establish trust of KeyInfo-derived credential

所以看起来签名正在验证但密钥不受信任。我无法弄清楚的是如何建立"信任。

我按

设置了示例应用

  1. 将IdP元数据复制到示例应用并通过将其添加到securityContext.xml来加载

    <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
    <list>
        <!-- Example of classpath metadata with Extended Metadata -->
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
            <constructor-arg>
                <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
                    <constructor-arg>
                        <bean class="java.util.Timer"/>
                    </constructor-arg>
                    <constructor-arg>
                        <bean class="org.opensaml.util.resource.ClasspathResource">
                            <constructor-arg value="/metadata/twoss-metadata.xml"/>
                        </bean>
                    </constructor-arg>
                    <property name="parserPool" ref="parserPool"/>
                </bean>
            </constructor-arg>
            <constructor-arg>
                <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                            <property name="signingKey" value="shib-signing"/>
                            <property name="trustedKeys" value="shib-signing"/>
                </bean>
            </constructor-arg>
                 <property name="metadataTrustCheck" value="false"/>
        </bean>
    </list>
</constructor-arg>

  2. 像这样配置SP元数据

    <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
    <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
            <property name="entityId" value="urn:test:dan:vancouver"/>
        <property name="extendedMetadata">
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                      <property name="signMetadata" value="false"/>
                <property name="idpDiscoveryEnabled" value="true"/>
            </bean>
        </property>
    </bean>
</constructor-arg>

  3. 最后,我将Shibboleth安装过程中生成的签名证书添加到示例应用程序的密钥库

    keytool -importcert -alias shib-signing -file idp-signing.crt -keystore samlKeystore.jks

    所以,问题是,我需要做些什么来建立信任?

    4. 请注意,示例应用程序和shibboleth都在开发环境中,并且未使用CA签名证书进行签名或加密。

0 个答案:

没有答案
相关问题
最新问题