WSO2 SAML扩展授权

时间:2016-12-27 12:02:31

标签: spring-security wso2 wso2is wso2-am spring-saml

我已经配置了WSO2 API Manager 2.0.0(端口9443),Identity Server 5.1.0(端口9444)和带SAML的自定义Spring应用程序(端口22222)。应用程序通过Identity Server上的SAML SSO登录,并从Identity Server获取断言。

我想通过我的应用程序通过SAML SSO向API Manager中配置的API发出请求。我在this教程中配置了API Manager和Identity Server,但在登录后我收到错误:

{"error_description":"Provided Authorization Grant is invalid","error":"invalid_grant"}

另请阅读this教程,但一切都不起作用。 我的断言看起来像:

<?xml version="1.0" encoding="UTF-8"?><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="ofmidejjjopkijhmgbdpmmbnooliloalcdfmeiid" IssueInstant="2016-12-27T11:50:56.612Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#ofmidejjjopkijhmgbdpmmbnooliloalcdfmeiid"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue/></ds:Reference></ds:SignedInfo><ds:SignatureValue/><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@carbon.super</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="a2chdg2i14ii0edi5682815gja848e0" NotOnOrAfter="2016-12-27T11:55:56.612Z" Recipient="http://localhost:22222/console/saml/SSO"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2016-12-27T11:50:56.612Z" NotOnOrAfter="2016-12-27T11:55:56.612Z"><saml2:AudienceRestriction><saml2:Audience>onGeoConsoleTest2</saml2:Audience><saml2:Audience>http://localhost:22222/console/saml/SSO</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2016-12-27T11:50:56.613Z" SessionIndex="1644a04d-8b72-45b0-8e41-f3d809111355"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Internal/subscriber</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Application/ongeo-auth</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Application/api-store</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Internal/everyone</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Application/api-publisher</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Application/ongeo-console</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Internal/cg_unpublisher</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Application/admin_Testujemy_PRODUCTION</saml2:AttributeValue><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Internal/cg_publisher</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>

API Manager身份提供程序配置:

APIM1

APIM2

Identity Server服务提供商配置:

ISSP

请帮忙!

更新:

扩展问题(SignatureValue和DigestValue为空,可能存在问题):

  

TID:[ - 1234] [] [2016-12-27 14:24:04,746] ERROR {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} - 验证时出错签名。 {} org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler   org.opensaml.xml.validation.ValidationException:无法根据签名评估密钥       at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:74)       在org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler.validateGrant(SAML2BearerGrantHandler.java:458)       at org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:194)       在org.wso2.carbon.identity.oauth2.OAuth2Service.issueAccessToken(OAuth2Service.java:219)       at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.getAccessToken(OAuth2TokenEndpoint.java:246)       at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:110)       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)       在java.lang.reflect.Method.invoke(Method.java:483)       在org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)       在org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)       在org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)       在org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)       在org.apache.cxf.interceptor.ServiceInvokerInterceptor $ 1.run(ServiceInvokerInterceptor.java:58)       在org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)       在org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)       at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)       at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)       在org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)       在org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)       在org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)       at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)       at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)       在org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209)       在javax.servlet.http.HttpServlet.service(HttpServlet.java:650)       在org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)       在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)       在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)       在org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)       在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)       在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)       在org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)       在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)       在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)       在org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)       在org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)       在org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)       在org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)       在org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)       at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)       at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve $ 1.invoke(CarbonTomcatValve.java:47)       在org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)       在org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48)       at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)       在org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)       at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)       在org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)       at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)       在org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)       在org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)       在org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)       at org.apache.coyote.AbstractProtocol $ AbstractConnectionHandler.process(AbstractProtocol.java:625)       在org.apache.tomcat.util.net.NioEndpoint $ SocketProcessor.doRun(NioEndpoint.java:1749)       at org.apache.tomcat.util.net.NioEndpoint $ SocketProcessor.run(NioEndpoint.java:1708)       在java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)       at java.util.concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:617)       at org.apache.tomcat.util.threads.TaskThread $ WrappingRunnable.run(TaskThread.java:61)       在java.lang.Thread.run(Thread.java:745)   引起:org.apache.xml.security.signature.XMLSignatureException:签名长度不正确:得到0但是期待128   原始异常是java.security.SignatureException:签名长度不正确:得到0但是期望128       at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineVerify(SignatureBaseRSA.java:93)       at org.apache.xml.security.algorithms.SignatureAlgorithm.verify(SignatureAlgorithm.java:301)       at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:723)       at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:69)       ......还有58个   引起:java.security.SignatureException:签名长度不正确:得到0但是期望128       at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:190)       at java.security.Signature $ Delegate.engineVerify(Signature.java:1174)       at java.security.Signature.verify(Signature.java:624)       at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineVerify(SignatureBaseRSA.java:91)       ......还有61个

0 个答案:

没有答案
相关问题
最新问题