我最近遇到了在java项目中使用springSAML 2.0的问题。 “问题”看起来非常“简单”。我也试图查阅文献并按照文章的提示进行操作,但它仍然不起作用。
我的程序所在的网络环境非常复杂,因为它是公司的商业系统。因此,java程序在F5负载均衡下部署。我已经注意将“contextProvider”类设置为“SAMLContextProviderLB”,但问题不应该在这里。
我查了一下: Error on implementing spring-saml-security with WSO2
我已经设置: lazy-init = false ,但它仍然不起作用。
虽然我也怀疑Axis2.0有问题,但我确实没有证据证明这个问题。 我有两台机器部署了两个java应用程序,而这两个java应用程序都是打开springSAML函数,当然我已经生成了一个正确配置的keystore(但是我使用了同样的两个keystore两个应用程序,因为我的配置完全是同样),两台机器在我停止然后启动后我访问samlLogin都行,然后我发现客户在睡觉后抱怨,说idp选择界面出现了500错误,我看了发现:java.lang.IllegalArgumentException: Manager with name 'MetadataKeyInfoGenerator' does not exist
org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager.getFactory (NamedKeyInfoGeneratorManager.java:156)
org.opensaml.xml.security.SecurityHelper.getKeyInfoGenerator (SecurityHelper.java:1049)
org.springframework.security.saml.metadata.MetadataGenerator.generateKeyInfoForCredential (MetadataGenerator.java:255)
org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfo (MetadataGenerator.java: 211)
org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptor (MetadataGenerator.java:329)
org.springframework.security.saml.metadata.MetadataGenerator.generateMetadata (MetadataGenerator.java:189)
org.springframework.security.saml.metadata.MetadataGeneratorFilter.processMetadataInitialization (MetadataGeneratorFilter.java:127)
org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter (MetadataGeneratorFilter.java:86)
org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter (FilterChainProxy.java:342)
org.springframework.security.web.FilterChainProxy.doFilterInternal (FilterChainProxy.java:192)
org.springframework.security.web.FilterChainProxy.doFilter (FilterChainProxy.java:160)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate (DelegatingFilterProxy.java:343)
org.springframework.web.filter.DelegatingFilterProxy.doFilter (DelegatingFilterProxy.java:260)
我知道这个问题是DefaultBootstrap似乎没有启动,我不知道什么时候Spring会启动它,我跟踪找到源代码是因为:
public class NamedKeyInfoGeneratorManager
{
private Map <String, KeyInfoGeneratorManager> managers;
经理内部没有任何内容。 我在想为什么经理们找不到'MetadataKeyInfoGenerator'。
请帮帮我。
我的java项目web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
<display-name>SSO</display-name>
<!--分割线|在启用saml模式下打开配置|start -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/securityContext.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/saml/*</url-pattern>
<url-pattern>/samlLogin</url-pattern>
</filter-mapping>
<!-- 分割线|在启用saml模式下打开配置 |end-->
......
<servlet>
<servlet-name>AxisServlet</servlet-name>
<servlet-class>org.apache.axis2.transport.http.AxisServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/servlet/AxisServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LoggingConfigure</servlet-name>
<servlet-class>com.ztesoft.zsmart.web.util.Log4jConfigServlet</servlet-class>
<init-param>
<param-name>log4jExposeWebAppRoot</param-name>
<param-value>CVBS_WEBAPP_REALPATH</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>MVCServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/web-application-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>MVCServlet</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MVCServlet</servlet-name>
<url-pattern>/oauth/2.0/authorize/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MVCServlet</servlet-name>
<url-pattern>/oauth/2.0/token/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MVCServlet</servlet-name>
<url-pattern>/oauth/2.0/token/validate/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MVCServlet</servlet-name>
<url-pattern>/oauth/2.0/user/getInfo/*</url-pattern>
</servlet-mapping>
<servlet>
<display-name>WebInitServlet</display-name>
<servlet-name>WebInitServlet</servlet-name>
<servlet-class>com.ztesoft.zsmart.sso.web.servlet.WebInitServlet</servlet-class>
<init-param>
<param-name>DEFAULT_LANGUAGE</param-name>
<param-value>en-US</param-value>
</init-param>
<init-param>
<param-name>LOCAL_CHARSET</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>DEFAULT_CHARSET</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>REQUEST_ENCODE</param-name>
<param-value>ISO-8859-1</param-value>
</init-param>
<load-on-startup>100</load-on-startup>
</servlet>
<!-- saml 功能开启是打开-->
<servlet>
<servlet-name>samlLoginServlet</servlet-name>
<servlet-class>
com.ztesoft.zsmart.sso.web.servlet.SamlLoginServlet
</servlet-class>
<init-param>
<param-name>serviceUrl</param-name>
<param-value>/saml/logout</param-value>
</init-param>
<init-param>
<param-name>path</param-name>
<param-value>/</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>samlLoginServlet</servlet-name>
<url-pattern>/samlLogin</url-pattern>
</servlet-mapping>
<servlet>
<description>Common Servlet for Download</description>
<display-name>Common Servlet for Download</display-name>
<servlet-name>DownloadServlet</servlet-name>
<servlet-class>com.ztesoft.zsmart.web.servlet.DownloadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DownloadServlet</servlet-name>
<url-pattern>/DownloadServlet.do</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<welcome-file-list>
<welcome-file>LoginIndex.do</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>jsp</servlet-name>
<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
<init-param>
<param-name>trimSpaces</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<error-page>
<error-code>404</error-code>
<location>/Error.do?SSO_ERROR_CODE=S-SSO-10044</location>
</error-page>
<servlet>
<description></description>
<display-name>OauthAppAPI</display-name>
<servlet-name>OauthAppAPI</servlet-name>
<servlet-class>com.ztesoft.zsmart.sso.oauth.v2.as.api.OauthAppAPI</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>OauthAppAPI</servlet-name>
<url-pattern>/OauthAppAPI</url-pattern>
</servlet-mapping>
</web-app>
我的securityContext.xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- Enable auto-wiring -->
<context:annotation-config/>
<!-- Scan for auto-wiring classes in spring saml packages -->
<context:component-scan base-package="org.springframework.security.saml"/>
<!-- 配置不拦截资源 -->
<security:http security="none" pattern="/webportal/**"/>
<security:http security="none" pattern="/webtechfrm/**"/>
<security:http security="none" pattern="/sso/**"/>
<security:http security="none" pattern="/oauth/**"/>
<security:http security="none" pattern="/*.do"/>
<security:http security="none" pattern="/*/*/*.do"/>
<security:http security="none" pattern="/*/*/*/*.do"/>
<security:http security="none" pattern="/Login.jsp*"/>
<security:http security="none" pattern="/metadata/**"/>
<security:http security="none" pattern="/services/**"/>
<!--配置节点 -->
<security:http entry-point-ref="samlEntryPoint" use-expressions="false">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
<!--SAML处理拦截器-->
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
<security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
<security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
<security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
<security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
<security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
<security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
</security:filter-chain-map>
</bean>
<!-- Handler deciding where to redirect user after successful login -->
<bean id="successRedirectHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/samlLogin"/>
</bean>
<!-- Handler deciding where to redirect user after failed login -->
<bean id="failureRedirectHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="useForward" value="true"/>
<property name="defaultFailureUrl" value="/Error.do?SSO_ERROR_CODE=P_ADFS_LOGINERROR"/>
</bean>
<!-- Handler for successful logout -->
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<!--<property name="defaultTargetUrl" value="/LoginIndex.do"/>-->
</bean>
<security:authentication-manager alias="authenticationManager">
<!-- Register authentication manager for SAML provider -->
<security:authentication-provider ref="samlAuthenticationProvider"/>
</security:authentication-manager>
<!-- Logger for SAML messages and events -->
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/>
<!-- 配置SSL证书,需要在部署之前配置好 -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="/WEB-INF/tomcat/tomcat-ssl.keystore"/>
<constructor-arg type="java.lang.String" value="ztesoft"/>
<constructor-arg>
<map>
<entry key="tomcat7" value="ztesoft"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="tomcat7"/>
</bean>
<!-- Entry point to initialize authentication, default values taken from properties file -->
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
<!--
<property name="binding" value="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
-->
</bean>
</property>
</bean>
<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<property name="idpSelectionPath" value="/idpSelection.jsp"/>
</bean>
<!-- 该过滤器希望对已配置的URL进行调用,并向用户提供表示该应用程序部署的SAML2元数据。 -->
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="signMetadata" value="false"/>
<property name="idpDiscoveryEnabled" value="true"/>
</bean>
</property>
<property name="entityBaseURL" value="https://webportalapp.bes.post.lu:8440/sso"/>
</bean>
</constructor-arg>
</bean>
<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<!-- 配置IDP Metadata,可配置多个 -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<!-- ADFS -->
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.FilesystemResource">
<constructor-arg value="/sso/cer/post/federationmetadata.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
</bean>
</list>
</constructor-arg>
</bean>
<!-- SAML Authentication Provider responsible for validating of received SAML messages -->
<bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
</bean>
<!-- Provider of default SAML Context -->
<!--<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>-->
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="https"/>
<property name="serverName" value="webportalapp.bes.post.lu"/>
<property name="serverPort" value="8440"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/sso"/>
</bean>
<!-- Processing filter for WebSSO profile messages -->
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
</bean>
<!-- Processing filter for WebSSO Holder-of-Key profile -->
<bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="false"/>
</bean>
<!-- Override default logout processing filter with the one processing SAML messages -->
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
<constructor-arg index="2" ref="logoutHandler"/>
</bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
</bean>
<!-- Class loading incoming SAML messages from httpRequest stream -->
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg>
<list>
<ref bean="redirectBinding"/>
<ref bean="postBinding"/>
<ref bean="artifactBinding"/>
<ref bean="soapBinding"/>
<ref bean="paosBinding"/>
</list>
</constructor-arg>
</bean>
<!-- SAML 2.0 WebSSO Assertion Consumer -->
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 Web SSO profile -->
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 ECP profile -->
<bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>
<!-- SAML 2.0 Logout Profile -->
<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
</bean>
<bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
<constructor-arg>
<bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
<constructor-arg>
<bean class="org.apache.commons.httpclient.HttpClient">
<constructor-arg>
<bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
</constructor-arg>
</bean>
</constructor-arg>
<property name="processor">
<bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg ref="soapBinding"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<!-- 初始化 OpenSAML library-->
<bean class="org.springframework.security.saml.SAMLBootstrap" lazy-init="false"/>
<!-- 初始化搜索引擎 -->
<bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>
<!-- OpenSAML解析所需的XML解析器池-->
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
</beans>