Spring SAML由于访问403

时间:2019-04-08 01:18:30

标签: spring-saml

我将WSO2服务器用于IDP,并且我的应用程序在本地运行。 我正在使用spring-saml版本1.0.6,我正在尝试为我集成sso 自己的应用程序。以403错误结尾。

enter image description here 这是我的日志:-https://pastebin.com/E3zBRQiA

这是我的spring-security-saml-wso.xml文件:-

<?xml version="1.0" encoding="UTF-8"?>
<!--
    Copyright (C) 2018  All rights reserved. 
 -->

<beans:beans xmlns="http://www.springframework.org/schema/mvc"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:cache="http://www.springframework.org/schema/cache"
    xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd      
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

     <!-- <cache:annotation-driven /> -->

   <!--   <beans:bean  id="cacheManager" class="org.springframework.cache.support.SimpleCacheManager">
         <beans:property name="caches">
             <beans:set>
                 <beans:bean  class="org.springframework.cache.concurrent.ConcurrentMapCacheFactoryBean">
                     <beans:property name="name" value="ltPrevileges"/>
                 </beans:bean >
                 <beans:bean  class="org.springframework.cache.concurrent.ConcurrentMapCacheFactoryBean">
                     <beans:property name="name" value="dashboard"/>
                 </beans:bean >
             </beans:set>
         </beans:property>
     </beans:bean> -->

   <context:annotation-config/>
     <context:component-scan base-package="org.springframework.security.saml"/>


  <!--  <beans:bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <beans:constructor-arg>
        <beans:list>
            <beans:bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                <beans:constructor-arg>
                    <beans:value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</beans:value>
                </beans:constructor-arg>
                <beans:constructor-arg>
                    <beans:value type="int">5000</beans:value>
                </beans:constructor-arg>
                <beans:property name="parserPool" ref="parserPool"/>
            </beans:bean>
        </beans:list>
    </beans:constructor-arg>
</beans:bean> -->
<beans:bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
 <beans:bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
        <beans:constructor-arg>
            <beans:list>
                <beans:bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                    <beans:constructor-arg>
                        <beans:bean
                            class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
                            <beans:constructor-arg>
                                <beans:bean class="java.util.Timer" />
                            </beans:constructor-arg>
                            <beans:constructor-arg>
                                <beans:bean class="org.opensaml.util.resource.ClasspathResource">
                                    <beans:constructor-arg value="/metadata/wso.xml" />
                                </beans:bean>
                            </beans:constructor-arg>
                            <beans:property name="parserPool" ref="parserPool" />
                        </beans:bean>
                    </beans:constructor-arg>
                    <beans:constructor-arg>
                        <beans:bean
                            class="org.springframework.security.saml.metadata.ExtendedMetadata">
                        </beans:bean>
                    </beans:constructor-arg>
                </beans:bean>
            </beans:list>
        </beans:constructor-arg>
        <!-- Default IDP -->
        <beans:property name="defaultIDP" value="localhost_WSO2EXE"/> 
    </beans:bean>


  <beans:bean class="org.springframework.security.saml.SAMLBootstrap"/>

    <!-- Initialization of the velocity engine -->
    <beans:bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>

    <!-- XML parser pool needed for OpenSAML parsing -->
    <beans:bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
    <beans:bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>

<security:http security="none" pattern="/saml/webapp/**"/>
    <security:http security="none" pattern="/WEB-INF/**"/>

     <security:http entry-point-ref="samlEntryPoint" use-expressions="true">

        <!-- Unsecured pages -->
        <security:intercept-url pattern="/" access="permitAll" />
        <security:intercept-url pattern="/logout" access="permitAll"/>
        <security:intercept-url pattern="/resources/" access="permitAll"/>
        <security:intercept-url pattern="/generalError" access="permitAll"/>

        <!-- Secured pages -->
         <security:intercept-url pattern="/**" access="isAuthenticated()"/>

        <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
        <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>


        <security:access-denied-handler error-page="/403" />

    </security:http>

 <beans:bean id="failureRedirectHandler"
          class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <beans:property name="useForward" value="true"/>
        <beans:property name="defaultFailureUrl" value="/error.jsp"/>
    </beans:bean>

    <beans:bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
        <security:filter-chain-map request-matcher="ant">
            <security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
            <security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
            <security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
            <security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
            <security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
              <security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
        </security:filter-chain-map>
    </beans:bean>

<beans:bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
    <!-- <beans:property name="logMessages" value="true"/>
        <beans:property name="logErrors" value="true"/>
        <beans:property name="logMessagesOnException" value="true"/> -->
    </beans:bean>

    <!-- IDP Discovery Service -->
    <beans:bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
        <!-- Do not show the IdP selection page. Always use the default IdP. There's only one configured anyway. -->
        <!-- <beans:property name="idpSelectionPath" value="/WEB-INF/index.jsp"/> -->
        <!-- <beans:property name="idpSelectionPath" value="/WEB-INF/login.jsp"/>  -->
      <!--  <beans:property name="defaultIDP" value="https://idp.ssocircle.com/sso"/> --> 
    </beans:bean>
 <!-- <beans:bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
        <beans:property name="defaultProfileOptions">
            <beans:bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
                <beans:property name="includeScoping" value="false"/>
            </beans:bean>
        </beans:property>
    </beans:bean> -->

    <!-- On login, redirect to display spanners page -->
    <beans:bean id="successRedirectHandlerBean" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
         <beans:property name="defaultTargetUrl" value="/index3.html"/> 
    </beans:bean>

    <!-- After logout, show the logout success page -->
    <beans:bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/logout"/>
    </beans:bean>

    <!-- Logout handler terminating local session -->
    <beans:bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
        <beans:property name="invalidateHttpSession" value="false"/>
    </beans:bean>

    <!-- Register authentication manager with SAML provider -->
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="samlAuthenticationProvider"/>
    </security:authentication-manager>



<beans:bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <beans:constructor-arg>
        <beans:bean class="org.springframework.security.saml.metadata.MetadataGenerator">
             <beans:property name="entityId" value="localhost_WSO2EXE"/>
             <!-- <beans:property name="entityBaseURL" value="http://localhost:8080/app"/> -->
            <beans:property name="extendedMetadata">
                <beans:bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    <!-- <beans:property name="signMetadata" value="false"/> -->
                    <beans:property name="idpDiscoveryEnabled" value="false"/>
                </beans:bean>
            </beans:property>
        </beans:bean>
    </beans:constructor-arg>
</beans:bean>
 <!-- Provider of default SAML Context -->
    <beans:bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>

    <!-- Processing filter for WebSSO profile messages -->
    <beans:bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="authenticationSuccessHandler" ref="successRedirectHandlerBean"/>
          <beans:property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
    </beans:bean>

    <!-- Override default logout processing filter with the one processing SAML messages -->
    <beans:bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
        <beans:constructor-arg ref="successLogoutHandler"/>
        <beans:constructor-arg ref="logoutHandler"/>
        <beans:constructor-arg ref="logoutHandler"/>
    </beans:bean>

    <!-- Filter processing incoming logout messages -->
    <!-- First argument determines URL user will be redirected to after successful global logout -->
    <beans:bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
        <beans:constructor-arg ref="successLogoutHandler"/>
        <beans:constructor-arg ref="logoutHandler"/>
    </beans:bean>

    <!-- Class loading incoming SAML messages from httpRequest stream -->
    <beans:bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
        <beans:constructor-arg>
            <beans:list>
                <beans:ref  bean="redirectBinding"/>
                 <beans:ref bean="postBinding"/>
                <beans:ref bean="artifactBinding"/>
                <beans:ref bean="soapBinding"/> 
                <beans:ref bean="paosBinding"/> 
            </beans:list>
        </beans:constructor-arg>
    </beans:bean>


    <!-- <beans:bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
        <beans:constructor-arg ref="parserPool"/>
        <beans:constructor-arg ref="velocityEngine"/>
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
                <beans:constructor-arg>
                    <beans:bean class="org.apache.commons.httpclient.HttpClient"/>
                </beans:constructor-arg>

            </beans:bean>
        </beans:constructor-arg>
    </beans:bean>
 -->

    <!-- SAML 2.0 WebSSO Assertion Consumer -->
    <beans:bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>

    <!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
    <beans:bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>

    <!-- SAML 2.0 Web SSO profile -->
    <beans:bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>

    <!-- SAML 2.0 Holder-of-Key Web SSO profile -->
    <beans:bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>

    <!-- SAML 2.0 ECP profile -->
    <beans:bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>

    <!-- SAML 2.0 Logout Profile -->
    <beans:bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>

    <!-- Bindings, encoders and decoders used for creating and parsing messages -->
    <beans:bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
        <beans:constructor-arg ref="parserPool"/>
        <beans:constructor-arg ref="velocityEngine"/>
    </beans:bean>

    <beans:bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
        <beans:constructor-arg ref="parserPool"/>
    </beans:bean>

    <beans:bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
        <beans:constructor-arg ref="parserPool"/>
        <beans:constructor-arg ref="velocityEngine"/>
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
                <beans:constructor-arg>
                    <beans:bean class="org.apache.commons.httpclient.HttpClient">
                        <beans:constructor-arg>
                            <beans:bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
                        </beans:constructor-arg>
                    </beans:bean>
                </beans:constructor-arg>
                <beans:property name="processor">
                    <beans:bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
                        <beans:constructor-arg ref="soapBinding"/>
                    </beans:bean>
                </beans:property>
            </beans:bean>
        </beans:constructor-arg>
    </beans:bean>

    <beans:bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
        <beans:constructor-arg ref="parserPool"/>
    </beans:bean>

    <beans:bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
        <beans:constructor-arg ref="parserPool"/>
    </beans:bean>

<!--  -->
    <!-- Bindings, encoders and decoders used for creating and parsing messages -->
   <!--  <beans:bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
        <beans:constructor-arg ref="parserPool"/>
        <beans:constructor-arg ref="velocityEngine"/>
    </beans:bean> -->

    <!--  <beans:bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheCacheManager" >
       <beans:property name="cacheManager" ref="ehcache"></beans:property>
    </beans:bean>

     <beans:bean id="ehcache" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" >
         <beans:property name="configLocation" value="classpath:ehcache.xml"></beans:property>
          <beans:property name="shared" value="true"></beans:property>
    </beans:bean> --> 





     <beans:bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
        <!-- OPTIONAL property: can be used to store/load user data after login -->
        <!--
        <property name="userDetails" ref="bean" />
        -->
         <beans:property name="userDetails" ref="customUserDetailsService" />
    </beans:bean>

    <beans:bean id="customUserDetailsService" class="com.framework.security.CustomSamlUserDetailsService"/>

     <beans:bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
        <beans:constructor-arg value="classpath:security/myKeystore.jks" />
        <beans:constructor-arg type="java.lang.String" value="password" />
        <beans:constructor-arg>
            <beans:map>
                <beans:entry key="mycustomkeys" value="password" />
            </beans:map>
        </beans:constructor-arg>
        <beans:constructor-arg type="java.lang.String" value="mycustomkeys" />
    </beans:bean>
</beans:beans>  

我的enityID名称在IDP和元数据中是相同的。自同一刊物3周以来一直在挣扎。我已经成功运行spring-saml应用程序,但无法在自己的应用程序中实现。 我是spring-saml的新手。请让我知道我在这里想念的东西。 enter image description here

这是我的SecurityConfig.java

https://pastebin.com/sDJ16e8w   这是我的web.xml文件。

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    version="2.5">
    <welcome-file-list>
        <welcome-file>
            /app/index3.html
        </welcome-file>
    </welcome-file-list>
    <servlet>
        <servlet-name>framework</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>framework</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>30</session-timeout>
    </session-config>
    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <error-page>
    <exception-type>javax.servlet.ServletException</exception-type>
    <location>/error.jsp</location>
</error-page>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <welcome-file-list>
        <welcome-file>app/index2.html</welcome-file>
    </welcome-file-list>
</web-app
  

此应用程序可以通过rest身份验证正常运行,但是我必须为此执行saml sso,因此,现在我已经删除了rest http ssecurity(如果spring saml可以正常运行),则将尝试添加rest方法安全性。   登录成功后,我正在使用html页面。   我正在尝试通过security-saml-wso.xml文件以及securityConfig.java中提到的customUserDetailService进行身份验证。   当我尝试满足http://localhost:8080/app/index3.html之类的第一个请求时   然后调用samlEntryPoint。.enter image description here

pom依赖看起来像

<dependency>
    <groupId>org.springframework.security.extensions</groupId>
    <artifactId>spring-security-saml2-core</artifactId>
    <version>1.0.6.RELEASE</version>
    <scope>compile</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/xml-apis/xml-apis -->
<dependency>
    <groupId>xml-apis</groupId>
    <artifactId>xml-apis</artifactId>
    <version>2.0.2</version>
</dependency>

<!-- https://mvnrepository.com/artifact/ca.juliusdavies/not-yet-commons-ssl -->
<!-- https://mvnrepository.com/artifact/ca.juliusdavies/not-yet-commons-ssl -->
<dependency>
    <groupId>ca.juliusdavies</groupId>
    <artifactId>not-yet-commons-ssl</artifactId>
    <version>0.3.11</version>
</dependency>


<!-- https://mvnrepository.com/artifact/org.opensaml/opensaml -->
<dependency>
    <groupId>org.opensaml</groupId>
    <artifactId>opensaml</artifactId>
    <version>2.6.4</version>
</dependency>



<!-- https://mvnrepository.com/artifact/com.google.code.gson/gson -->
<dependency>
    <groupId>com.google.code.gson</groupId>
    <artifactId>gson</artifactId>
    <version>2.8.0</version>
</dependency>
<dependency>
    <groupId>javax.validation</groupId>
    <artifactId>validation-api</artifactId>
    <version>1.1.0.Final</version>
</dependency>

<!-- comment this section after validation success -->
<dependency>
    <groupId>junit</groupId>
    <artifactId>junit</artifactId>
    <version>3.8.1</version>
    <scope>test</scope>
</dependency>
<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>1.2.17</version>
</dependency>
<dependency>
    <groupId>org.slf4j</groupId>
    <artifactId>jcl-over-slf4j</artifactId>
    <version>1.7.26</version>
</dependency>
<dependency>
    <groupId>ch.qos.logback</groupId>
    <artifactId>logback-classic</artifactId>
    <version>1.2.3</version>
</dependency>
  <dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-core</artifactId>
    <version>${spring.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-web</artifactId>
    <version>${spring.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-context-support</artifactId>
    <version>${spring.version}</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-webmvc</artifactId>
    <version>${spring.version}</version>
</dependency>

0 个答案:

没有答案