如何解决Spring Security-无法验证SAML证书
我正在Spring Boot应用程序中使用org.springframework.security:spring-security-saml2-service-provider版的5.3.3.RELEASE和spring-boot-starter-security版的2.3.1.RELEASE来保护它。
出于测试目的,我将docker映像kristophjunge/test-saml-idp用作我的身份提供者。
从Maven,IntelliJ或只是它的主要方法执行应用程序时,身份验证可以正常工作。当我从中构建一个war文件并在本地计算机上的版本9的tomcat服务器中执行该应用程序时,身份验证工作正常。
如果将war文件部署到远程服务器,Ubuntu 20.04.1 LTS,相同的JDK,openjdk 14.0.1,相同的tomcat,相同的docker映像,相同的证书,则该证书无法被应用程序验证。 / p>
我已经为opensaml启用了调试日志。我的计算机上的成功身份验证如下:
[http-nio-8080-exec-3] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Signature validation using candidate credential was successful
[http-nio-8080-exec-3] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential
[http-nio-8080-exec-3] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential
[http-nio-8080-exec-3] DEBUG org.opensaml.security.trust.impl.ExplicitKeyTrustEvaluator - Successfully validated untrusted credential against trusted key
[http-nio-8080-exec-3] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Successfully established trust of KeyInfo-derived credential
虽然远程服务器上的日志输出看起来像这样:
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Signature validation using candidate credential was successful
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Failed to establish trust of KeyInfo-derived credential
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
我对自签名证书进行了修改,以为该错误将源于在非localhost域上访问的应用程序。我创建了一个根证书,将其添加到JDK的cacerts密钥库中,并从该证书派生IDP证书。重新启动tomcat,没有用。
但是,真正令人好奇的是:如果我将应用程序作为独立的jar文件运行,那么即使在远程服务器上,身份验证过程也可以工作。不幸的是,这对我来说不可行。我只能使用集成的tomcat服务器进行开发。
我已经使用Kotlin配置了这样的安全性:
@EnableWebSecurity
class SecurityConfig(/* autowired configuration properties */) {
override fun configure(http: HttpSecurity) {
http
.authorizeRequests()
.antMatchers("/error").permitAll()
.anyRequest().authenticated()
.and()
.saml2Login()
.relyingPartyRegistrationRepository(
InMemoryRelyingPartyRegistrationRepository(
relyingPartyRegistration()
))
.authenticationManager(DbBasedUserDetailsService(rightsRepository))
}
private fun relyingPartyRegistration(): RelyingPartyRegistration =
RelyingPartyRegistration
.withRegistrationId(registrationId)
.providerDetails {
it.entityId(entityId)
it.webSsoUrl(webSsoUrl)
}
.assertionConsumerServiceUrlTemplate(assertionUrlTemplate)
.credentials {
it.add(
Saml2X509Credential(
x509Certificate(idpKey),Saml2X509Credential.Saml2X509CredentialType.VERIFICATION))
}.credentials {
it.add(
Saml2X509Credential(
privateKey(),x509Certificate(localCert),Saml2X509Credential.Saml2X509CredentialType.SIGNING))
}
.build()
private fun privateKey(): PrivateKey =
KeyFactory
.getInstance("RSA")
.generatePrivate(PKCS8EncodedKeySpec(privateKey.inputStream.readBytes()))
private fun x509Certificate(res: Resource) =
CertificateFactory
.getInstance("X.509")
.generateCertificate(res.inputStream)
as X509Certificate
}
它基本上类似于javadoc示例。
有人对我有线索吗?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
