如何在Spring Security SAML中禁用idp发现

时间:2015-10-09 13:19:03

标签: spring-security saml-2.0 spring-saml

我正在设置spring security saml框架。现在尝试集成示例Web应用程序(http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#sample-app)。 但是,我想跳过初始页面,选择id提供程序并使用特定的idp。该机制应该直接进入idp登录页面。

以下是我对securityContext.xml所做的更改:

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
  <constructor-arg>
    <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
      <property name="includeDiscoveryExtension" value="true"/>
    </bean>
  </constructor-arg>
</bean>

....

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
  <property name="defaultIDP" value="https://my.idp.com/simplesaml/saml2/idp/metadata.php"/>
  <constructor-arg>
    <list>
      <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
        <property name="metadataTrustCheck" value="false"/>
        <constructor-arg>
          <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
            <constructor-arg>
              <value type="java.io.File">classpath:security/idp.xml</value>
            </constructor-arg>
            <property name="parserPool" ref="parserPool"/>
          </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
            </bean>
        </constructor-arg>
      </bean>

      <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
        <property name="metadataTrustCheck" value="false"/>
        <constructor-arg>
          <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
            <constructor-arg>
              <bean class="java.util.Timer"/>
            </constructor-arg>
            <constructor-arg>
              <bean class="org.opensaml.util.resource.ClasspathResource">
                <constructor-arg value="/metadata/sp.xml"/>
              </bean>
            </constructor-arg>
            <property name="parserPool" ref="parserPool"/>
          </bean>
        </constructor-arg>
        <constructor-arg>
          <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
            <property name="local" value="true"/>
            <property name="alias" value="test:alias"/>
            <property name="securityProfile" value="metaiop"/>
            <property name="sslSecurityProfile" value="pkix"/>
            <property name="sslHostnameVerification" value="default"/>
            <property name="signMetadata" value="false"/>
            <property name="signingKey" value="apollo"/>
            <property name="encryptionKey" value="apollo"/>
            <property name="requireArtifactResolveSigned" value="false"/>
            <property name="requireLogoutRequestSigned" value="false"/>
            <property name="requireLogoutResponseSigned" value="false"/>
            <property name="idpDiscoveryEnabled" value="false"/>
            <property name="idpDiscoveryURL" value="http://my.public.ip/webapp/saml/discovery/alias/test:alias"/>
            <property name="idpDiscoveryResponseURL" value="http://my.public.ip/webapp/saml/login/alias/test:alias?disco=true"/>
          </bean>
        </constructor-arg>
      </bean>
    </list>
  </constructor-arg>
</bean>

使用此设置,它会直接进入idp登录页面(根据需要)但是一旦我登录,我就不会被重定向到我的webapp的根目录。相反,我被重定向到my.public.ip / webapp / saml / SSO / alias / test:alias并出现错误:

org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:95)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:409)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1044)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a4ea0ib7c3af3ia140cib5fb6cei156
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:139)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
    ... 31 more

如果我将idpDiscoveryEnabled属性更改为true,那么我会看到idp-s的选择(在我的情况下它只有一个),我必须按下按钮Start Single Sign-on然后我才进入idp登录页面。登录后,我已正确转发到我的webapp的根目录。

这与我的配置中的错误有关吗?任何提示都将不胜感激。

谢谢!

0 个答案:

没有答案
相关问题
最新问题