我试图将spring-securtiy-saml集成作为带有adfs系统的SP实现,并且在我成功进行身份验证后从ADFS发回SAMLResponnse并且以下异常时,我发现这个异常现象了几天抛出。这是DEBUG日志:
2017-10-02 18:05:09,246 - DEBUG [http-apr-443-exec-9] BaseMessageEncoder - Successfully encoded message.
2017-10-02 18:05:09,246 - INFO [http-apr-443-exec-9] SAMLDefaultLogger - AuthNRequest;SUCCESS;208.95.100.30;saml2.glassboxdigital.com;http://this/is/a/valid/url;;;
2017-10-02 18:05:09,859 - DEBUG [http-apr-443-exec-3] SAMLProcessingFilter - Request is to process authentication
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] SAMLProcessingFilter - Attempting SAML2 authentication using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Searching for entity descriptor with an entity ID of saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Metadata document did not contain a descriptor for entity saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: saml2.glassboxdigital.com
2017-10-02 18:05:09,860 - DEBUG [http-apr-443-exec-3] AbstractMetadataProvider - Searching for entity descriptor with an entity ID of saml2.glassboxdigital.com
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
2017-10-02 18:05:09,861 - DEBUG [http-apr-443-exec-3] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
2017-10-02 18:05:09,862 - DEBUG [http-apr-443-exec-3] StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
2017-10-02 18:05:09,863 - DEBUG [http-apr-443-exec-3] SAMLProcessorImpl - Retrieving message using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
2017-10-02 18:05:09,864 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
2017-10-02 18:05:09,865 - DEBUG [http-apr-443-exec-3] HTTPPostDecoder - Decoded SAML relay state of: https://console-ex-saml.glassboxcloud.com/webinterface/webui/
2017-10-02 18:05:09,865 - DEBUG [http-apr-443-exec-3] HTTPPostDecoder - Getting Base64 encoded message from request
2017-10-02 18:05:09,866 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Parsing message stream into DOM document
2017-10-02 18:05:09,866 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Unmarshalling message DOM
2017-10-02 18:05:09,866 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Starting to unmarshall Apache XML-Security-based SignatureImpl element
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Constructing Apache XMLSignature object
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Adding canonicalization and signing algorithms, and HMAC output length to Signature
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] SignatureUnmarshaller - Adding KeyInfo to Signature
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Message succesfully unmarshalled
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] HTTPPostDecoder - Decoded SAML message
2017-10-02 18:05:09,867 - DEBUG [http-apr-443-exec-3] BaseSAML2MessageDecoder - Extracting ID, issuer and issue instant from status response
2017-10-02 18:05:09,872 - DEBUG [http-apr-443-exec-3] PROTOCOL_MESSAGE -
<?xml version="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO" ID="_f33a822d-ca9c-4f55-92fd-325454f92f66" InResponseTo="a2g8hci4d0e1aa891bcj1d03ci51c29" IssueInstant="2017-10-02T18:05:12.972Z" Version="2.0">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">valid.issuer</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_f33a822d-ca9c-4f55-92fd-325454f92f66">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>XC9VCfj8MgDg/c5PaT/KPIWoAHn67SI2gHU937SILbc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>wfvDzv0cONrCjWi7k02oyISk16ABYY8UdG2CuP8Dg4jHcWL64Lp5lO3wvmNkcNX87tXN41ndqIIHupuKkqcLvqQs07fprxrIhkmDrScEkJObWD1pkNahUp24ERlOGt+fDWMcfWNpERpgHGU2O/FlH7kRUsj+LCxD3o1FQAHhXJeBVA1lbI6B+dOfyT2zLgpmS1jkaKLX/AKsc/56dvzDIUP5ElF5eMQdwuNmapmvCynSDSalP/v1KVn9pf12ShjiQh/oku4CtAXSgnjFbrg752EtGoaT80foIkooMjJQMSjC/CjHIGAMVEuTJraXUVdvgKPao5rC85OkFdOOoDYtOg==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFFzCCA/+gAwIBAgIETCPgRjANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xNDA4MTIxODE5MTJaFw0xODEwMTMwMjI0MTlaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMREwDwYDVQQHEwhCZWxsZXZ1ZTEWMBQGA1UEChMNRXhwZWRpYSwgSW5jLjEYMBYGA1UEAxMPc3NvLmV4cGVkaWEuYml6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz2nGjBS3eZkuPHyjIFsMT8Ex19ywmOUXxDI051/ZVFcCmbNFlKJrfbhxO0PpX1mOv3REC0SC22bwdQGDH35JVSmPq7NR52S0Q/RwVDUb9mXs86d6q/BACm5KfHavsXXbMKrCQSQzHBeMoMS6cQIvUgtmvfjnpJ6tYp+OF2MK6sa568cy34C3m63O66Kt/tFOZwGg8qmJCXdEpCtHR3TEiqmtoHc/A4XbhSg9BR/6+Z8kZb8T7AeKh69BPy5U7SuaW0ifOpS4TigONkqn3vPQkxjtosYL3X0/+WBaHDbA642H4wMBa9cWrMBp6u9u2NBulK82HVrdJB6iC8rZLsD7twIDAQABo4IBfjCCAXowCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L2xldmVsMWMuY3JsMGQGCCsGAQUFBwEBBFgwVjAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwLwYIKwYBBQUHMAKGI2h0dHA6Ly9haWEuZW50cnVzdC5uZXQvMjA0OC1sMWMuY2VyMEoGA1UdIARDMEEwNQYJKoZIhvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAECAjAaBgNVHREEEzARgg9zc28uZXhwZWRpYS5iaXowHwYDVR0jBBgwFoAUHvGriQb4SQ8BM3fuFHruGXyTKE0wHQYDVR0OBBYEFDsc7/1fpNaaFgJ1jKZfWmBD9WJ4MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAH97BdZzQIHGzyONbs1uLw71HJhWp3PtubbJ4aBRtmfopgJV/X/u4MfkKO8MokDY/oqN+PQLc0NwT6hfSWiclpOjWSW3u35IFQZTU+stT41/T41gvRHmnfCL3QuB+qNeQdWiDtWKAsJUUlx1Qn90BC23fbyiJptbppP3MDLbbf09grfifW0tJ4ThYOv4JkC/W3rtCiu6XryUWtFtz+RtwWtlSL5dxJnEE7VDvUcOSC+6dywb4dO/bSfYA1/gdbWXImsU+4124eC4DztWChDIMqCVqQObkNYdb9MsRr7itC+ezXVorKXzWhwG2FlNV8TjcCRgTKgdVFyw9+KMPXzFX+Q=</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
</samlp:Status>
</samlp:Response>
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseSAMLSimpleSignatureSecurityPolicyRule - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseSAMLSimpleSignatureSecurityPolicyRule - HTTP request was not signed via simple signature mechanism, skipping
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] SAMLSignatureProfileValidator - Saw Enveloped signature transform
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] SAMLSignatureProfileValidator - Saw Exclusive C14N signature transform
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Attempting to verify signature on signed SAML protocol message using context issuer message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] MetadataCredentialResolver - Forcing on-demand metadata provider refresh if necessary
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] MetadataCredentialResolver - Attempting to retrieve credentials from cache using index: [blabla,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] MetadataCredentialResolver - Retrieved credentials from cache using index: [blabla,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Attempting to verify signature and establish trust using KeyInfo-derived credentials
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Found 0 key names: []
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2017-10-02 18:05:09,873 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Attempting to extract credential from an X509Data
2017-10-02 18:05:09,874 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Found 1 X509Certificates
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Found 0 X509CRLs
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] InlineX509DataProvider - Single certificate was present, treating as end-entity certificate
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BasicProviderKeyInfoCredentialResolver - A total of 1 credentials were resolved
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] EvaluableCredentialCriteriaRegistry - Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Attempting to validate signature using key from supplied credential
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Creating XMLSignature object
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SignatureValidator - Signature validated with key from supplied credential
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Signature validation using candidate credential was successful
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] ExplicitKeyTrustEvaluator - Successfully validated untrusted credential against trusted key
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSignatureTrustEngine - Successfully established trust of KeyInfo-derived credential
2017-10-02 18:05:09,875 - INFO [http-apr-443-exec-3] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] SAMLProtocolMessageXMLSignatureSecurityPolicyRule - Authentication via protocol message signature succeeded for context issuer entity ID blabla
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseMessageDecoder - Successfully decoded message.
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - Checking SAML message intended destination endpoint against receiver endpoint
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - Intended message destination endpoint: https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - Actual message receiver endpoint: https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO
2017-10-02 18:05:09,875 - DEBUG [http-apr-443-exec-3] BaseSAMLMessageDecoder - SAML message intended destination endpoint matched recipient endpoint
2017-10-02 18:05:09,876 - DEBUG [http-apr-443-exec-3] SAMLUtil - Found endpoint org.opensaml.saml2.metadata.impl.AssertionConsumerServiceImpl@41fbfcbf for request URL https://console-ex-saml.glassboxcloud.com/webinterface/saml/SSO based on location attribute in metadata
2017-10-02 18:05:09,876 - DEBUG [http-apr-443-exec-3] SAMLAuthenticationProvider - Error validating SAML message
org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.clarisite.container.web.WebExceptionHandler.doFilter(WebExceptionHandler.java:33)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2521)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2510)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
2017-10-02 18:05:09,876 - INFO [http-apr-443-exec-3] SAMLDefaultLogger - AuthNResponse;FAILURE;208.95.100.30;saml2.glassboxdigital.com;blabla;;;org.opensaml.common.SAMLException: Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is null
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:113)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.clarisite.container.web.WebExceptionHandler.doFilter(WebExceptionHandler.java:33)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2521)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2510)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
我一直在讨论SO中的一些问题:
以及更多,他们似乎都认为这个问题是密钥库中过时密钥的问题或者邮件签名的问题。最初我认为问题出在消息的签名上(adfs期望RSA-SHA256和open saml的默认值是RSA-SHA1)。但我已经修好了,如下所示:
SignatureValidator - Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
keystore dosent似乎也是一个问题,因为idp证书在从idp导入的元数据中是硬编码的。
问题似乎源自WebSSOProfileConsumerImpl.java的第113行,如果statusCode值等于urn:oasis:names:tc:SAML:2.0:status:Success
,则processAuthenticationResponse方法在第107行检查,但是在我们从idp收到的repsone中,状态代码等于{{ 1}}
我想知道在SAMLRequest或其他方面我们这边有问题,
或者如果这是adfs方面的问题。
任何想法为什么会发生这种情况?
答案 0 :(得分:2)
我猜这个问题与签名算法有关。 Spring SAML默认使用SHA-1,ADFS需要SHA-256。两者之间的不匹配表现在你所经历的方式中。
您可以通过查看ADFS的事件日志来验证此假设,或找到此行为的其他原因。
答案 1 :(得分:0)
我们遇到了同样的问题,问题是需要SHA-1的Spring和需要SHA-256的ADFS之间不匹配。但是,我们的客户希望我们将Spring Security SAML升级为使用SHA-256,而不是将ADFS降级为使用SHA-1。
下面显示了如何将Spring Security升级到SHA-256。