我将WSO2服务器用于IDP,并且我的应用程序在本地运行。 我正在使用spring-saml版本1.0.6,我正在尝试为我集成sso 自己的应用程序。以403错误结尾。
这是我的日志:-https://pastebin.com/E3zBRQiA
这是我的spring-security-saml-wso.xml文件:-
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (C) 2018 All rights reserved.
-->
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:cache="http://www.springframework.org/schema/cache"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- <cache:annotation-driven /> -->
<!-- <beans:bean id="cacheManager" class="org.springframework.cache.support.SimpleCacheManager">
<beans:property name="caches">
<beans:set>
<beans:bean class="org.springframework.cache.concurrent.ConcurrentMapCacheFactoryBean">
<beans:property name="name" value="ltPrevileges"/>
</beans:bean >
<beans:bean class="org.springframework.cache.concurrent.ConcurrentMapCacheFactoryBean">
<beans:property name="name" value="dashboard"/>
</beans:bean >
</beans:set>
</beans:property>
</beans:bean> -->
<context:annotation-config/>
<context:component-scan base-package="org.springframework.security.saml"/>
<!-- <beans:bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<beans:constructor-arg>
<beans:value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</beans:value>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:value type="int">5000</beans:value>
</beans:constructor-arg>
<beans:property name="parserPool" ref="parserPool"/>
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean> -->
<beans:bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<beans:bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<beans:constructor-arg>
<beans:bean
class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<beans:constructor-arg>
<beans:bean class="java.util.Timer" />
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.opensaml.util.resource.ClasspathResource">
<beans:constructor-arg value="/metadata/wso.xml" />
</beans:bean>
</beans:constructor-arg>
<beans:property name="parserPool" ref="parserPool" />
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.saml.metadata.ExtendedMetadata">
</beans:bean>
</beans:constructor-arg>
</beans:bean>
</beans:list>
</beans:constructor-arg>
<!-- Default IDP -->
<beans:property name="defaultIDP" value="localhost_WSO2EXE"/>
</beans:bean>
<beans:bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- Initialization of the velocity engine -->
<beans:bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>
<!-- XML parser pool needed for OpenSAML parsing -->
<beans:bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
<beans:bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
<security:http security="none" pattern="/saml/webapp/**"/>
<security:http security="none" pattern="/WEB-INF/**"/>
<security:http entry-point-ref="samlEntryPoint" use-expressions="true">
<!-- Unsecured pages -->
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/logout" access="permitAll"/>
<security:intercept-url pattern="/resources/" access="permitAll"/>
<security:intercept-url pattern="/generalError" access="permitAll"/>
<!-- Secured pages -->
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
<security:access-denied-handler error-page="/403" />
</security:http>
<beans:bean id="failureRedirectHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="useForward" value="true"/>
<beans:property name="defaultFailureUrl" value="/error.jsp"/>
</beans:bean>
<beans:bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
<security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
<security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
<security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
<security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
<security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
</security:filter-chain-map>
</beans:bean>
<beans:bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
<!-- <beans:property name="logMessages" value="true"/>
<beans:property name="logErrors" value="true"/>
<beans:property name="logMessagesOnException" value="true"/> -->
</beans:bean>
<!-- IDP Discovery Service -->
<beans:bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<!-- Do not show the IdP selection page. Always use the default IdP. There's only one configured anyway. -->
<!-- <beans:property name="idpSelectionPath" value="/WEB-INF/index.jsp"/> -->
<!-- <beans:property name="idpSelectionPath" value="/WEB-INF/login.jsp"/> -->
<!-- <beans:property name="defaultIDP" value="https://idp.ssocircle.com/sso"/> -->
</beans:bean>
<!-- <beans:bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<beans:property name="defaultProfileOptions">
<beans:bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<beans:property name="includeScoping" value="false"/>
</beans:bean>
</beans:property>
</beans:bean> -->
<!-- On login, redirect to display spanners page -->
<beans:bean id="successRedirectHandlerBean" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/index3.html"/>
</beans:bean>
<!-- After logout, show the logout success page -->
<beans:bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<beans:property name="defaultTargetUrl" value="/logout"/>
</beans:bean>
<!-- Logout handler terminating local session -->
<beans:bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<beans:property name="invalidateHttpSession" value="false"/>
</beans:bean>
<!-- Register authentication manager with SAML provider -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="samlAuthenticationProvider"/>
</security:authentication-manager>
<beans:bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<beans:property name="entityId" value="localhost_WSO2EXE"/>
<!-- <beans:property name="entityBaseURL" value="http://localhost:8080/app"/> -->
<beans:property name="extendedMetadata">
<beans:bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<!-- <beans:property name="signMetadata" value="false"/> -->
<beans:property name="idpDiscoveryEnabled" value="false"/>
</beans:bean>
</beans:property>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<!-- Provider of default SAML Context -->
<beans:bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
<!-- Processing filter for WebSSO profile messages -->
<beans:bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationSuccessHandler" ref="successRedirectHandlerBean"/>
<beans:property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
</beans:bean>
<!-- Override default logout processing filter with the one processing SAML messages -->
<beans:bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<beans:constructor-arg ref="successLogoutHandler"/>
<beans:constructor-arg ref="logoutHandler"/>
<beans:constructor-arg ref="logoutHandler"/>
</beans:bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<beans:bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<beans:constructor-arg ref="successLogoutHandler"/>
<beans:constructor-arg ref="logoutHandler"/>
</beans:bean>
<!-- Class loading incoming SAML messages from httpRequest stream -->
<beans:bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<beans:constructor-arg>
<beans:list>
<beans:ref bean="redirectBinding"/>
<beans:ref bean="postBinding"/>
<beans:ref bean="artifactBinding"/>
<beans:ref bean="soapBinding"/>
<beans:ref bean="paosBinding"/>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<!-- <beans:bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<beans:constructor-arg ref="parserPool"/>
<beans:constructor-arg ref="velocityEngine"/>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
<beans:constructor-arg>
<beans:bean class="org.apache.commons.httpclient.HttpClient"/>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
-->
<!-- SAML 2.0 WebSSO Assertion Consumer -->
<beans:bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<beans:bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 Web SSO profile -->
<beans:bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<beans:bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 ECP profile -->
<beans:bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>
<!-- SAML 2.0 Logout Profile -->
<beans:bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<beans:bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<beans:constructor-arg ref="parserPool"/>
<beans:constructor-arg ref="velocityEngine"/>
</beans:bean>
<beans:bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<beans:constructor-arg ref="parserPool"/>
</beans:bean>
<beans:bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<beans:constructor-arg ref="parserPool"/>
<beans:constructor-arg ref="velocityEngine"/>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
<beans:constructor-arg>
<beans:bean class="org.apache.commons.httpclient.HttpClient">
<beans:constructor-arg>
<beans:bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
<beans:property name="processor">
<beans:bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<beans:constructor-arg ref="soapBinding"/>
</beans:bean>
</beans:property>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
<beans:constructor-arg ref="parserPool"/>
</beans:bean>
<beans:bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
<beans:constructor-arg ref="parserPool"/>
</beans:bean>
<!-- -->
<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<!-- <beans:bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<beans:constructor-arg ref="parserPool"/>
<beans:constructor-arg ref="velocityEngine"/>
</beans:bean> -->
<!-- <beans:bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheCacheManager" >
<beans:property name="cacheManager" ref="ehcache"></beans:property>
</beans:bean>
<beans:bean id="ehcache" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" >
<beans:property name="configLocation" value="classpath:ehcache.xml"></beans:property>
<beans:property name="shared" value="true"></beans:property>
</beans:bean> -->
<beans:bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
<!-- OPTIONAL property: can be used to store/load user data after login -->
<!--
<property name="userDetails" ref="bean" />
-->
<beans:property name="userDetails" ref="customUserDetailsService" />
</beans:bean>
<beans:bean id="customUserDetailsService" class="com.framework.security.CustomSamlUserDetailsService"/>
<beans:bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<beans:constructor-arg value="classpath:security/myKeystore.jks" />
<beans:constructor-arg type="java.lang.String" value="password" />
<beans:constructor-arg>
<beans:map>
<beans:entry key="mycustomkeys" value="password" />
</beans:map>
</beans:constructor-arg>
<beans:constructor-arg type="java.lang.String" value="mycustomkeys" />
</beans:bean>
</beans:beans>
我的enityID名称在IDP和元数据中是相同的。自同一刊物3周以来一直在挣扎。我已经成功运行spring-saml应用程序,但无法在自己的应用程序中实现。 我是spring-saml的新手。请让我知道我在这里想念的东西。
这是我的SecurityConfig.java
https://pastebin.com/sDJ16e8w 这是我的web.xml文件。
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<welcome-file-list>
<welcome-file>
/app/index3.html
</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>framework</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>framework</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<error-page>
<exception-type>javax.servlet.ServletException</exception-type>
<location>/error.jsp</location>
</error-page>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>app/index2.html</welcome-file>
</welcome-file-list>
</web-app
此应用程序可以通过rest身份验证正常运行,但是我必须为此执行saml sso,因此,现在我已经删除了rest http ssecurity(如果spring saml可以正常运行),则将尝试添加rest方法安全性。 登录成功后,我正在使用html页面。 我正在尝试通过security-saml-wso.xml文件以及securityConfig.java中提到的customUserDetailService进行身份验证。 当我尝试满足http://localhost:8080/app/index3.html之类的第一个请求时 然后调用samlEntryPoint。.
pom依赖看起来像
<dependency>
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml2-core</artifactId>
<version>1.0.6.RELEASE</version>
<scope>compile</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/xml-apis/xml-apis -->
<dependency>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
<version>2.0.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/ca.juliusdavies/not-yet-commons-ssl -->
<!-- https://mvnrepository.com/artifact/ca.juliusdavies/not-yet-commons-ssl -->
<dependency>
<groupId>ca.juliusdavies</groupId>
<artifactId>not-yet-commons-ssl</artifactId>
<version>0.3.11</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.opensaml/opensaml -->
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml</artifactId>
<version>2.6.4</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.google.code.gson/gson -->
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.8.0</version>
</dependency>
<dependency>
<groupId>javax.validation</groupId>
<artifactId>validation-api</artifactId>
<version>1.1.0.Final</version>
</dependency>
<!-- comment this section after validation success -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.7.26</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>