所以我试图将spring-security-saml2扩展添加到现有的spring-boot项目中。作为身份提供者,我使用ADFS,并且在使用spring-boot和其他saml框架之前就可以使用它。
现在我得到了错误
...
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://fs.example.com/FederationMetadata/2007-06/FederationMetadata.xml
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) ~[opensaml-2.6.6.jar:na]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:258) ~[opensaml-2.6.6.jar:na]
... 67 common frames omitted
Caused by: javax.net.ssl.SSLException: SSLSession was invalid: Likely implicit handshake failure: Set system property javax.net.debug=all for details
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:275) ~[openws-1.5.6.jar:na]
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186) ~[openws-1.5.6.jar:na]
at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97) ~[spring-security-saml2-core-1.0.6.RELEASE.jar:1.0.6.RELEASE]
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1.jar:na]
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) ~[opensaml-2.6.6.jar:na]
... 68 common frames omitted
我已经打开javax.net.debug=all并检查是否已加载正确的证书:
adding as trusted cert:
Subject: CN=Exapmle CA G2, OU=Example Certificate Authority, O=Example, L=City, ST=BS, C=GB
Issuer: CN=Exapmle CA G2, OU=Example Certificate Authority, O=Example, L=City, ST=BS, C=GB
Algorithm: RSA; Serial number: 0xdfec3e266fcad7e1
Valid from Fri Mar 20 18:29:09 CET 2015 until Wed Apr 04 19:29:09 CEST 2025
但是加载元数据仍然失败,并显示以下错误:
localhost-startStop-1, IOException in getSession(): javax.net.ssl.SSLHandshakeException: org.springframework.security.saml.trust.UntrustedCertificateException: Peer SSL/TLS certificate 'CN=fs.example.com, C=GB, ST=BS, L=City, O=Example, OU=Development' issued by 'CN=Exapmle CA G2, OU=Example Certificate Authority, O=Example, L=City, ST=BS, C=GB' is not trusted, add the certificate or it's CA to your trust store and optionally update tlsKey in extended metadata with the certificate's alias
Java像这样打印idp的证书:
Version: V3
Subject: CN=fs.example.com, C=GB, ST=BS, L=City, O=Example, OU=Development
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: ...
public exponent: 65537
Validity: [From: Thu Sep 01 10:51:48 CEST 2016,
To: Tue Aug 31 10:51:48 CEST 2021]
Issuer: CN=Exapmle CA G2, OU=Example Certificate Authority, O=Example, L=City, ST=BS, C=GB
SerialNumber: [ 02dfec3e 266fcad8 46]
如您所见,已发行了发行证书。
我还尝试导入idp本身的证书。这没有帮助。
adding as trusted cert:
Subject: CN=fs.example.com, C=GB, ST=BS, L=City, O=Example, OU=Development
Issuer: CN=Exapmle CA G2, OU=Example Certificate Authority, O=Example, L=City, ST=BS, C=GB
Algorithm: RSA; Serial number: 0x2dfec3e266fcad846
Valid from Thu Sep 01 10:51:48 CEST 2016 until Tue Aug 31 10:51:48 CEST 2021
有人知道如何解决这个问题吗?
如果您需要我的任何代码,请随时询问。
谢谢。
答案 0 :(得分:0)
当我遇到此问题时,原因是ADFS中的安全哈希。 查看Spring Security SAML文档主题12.1.2