Java Shibboleth中的登录处理程序身份验证方法
我正在handler.xml文件中使用以下登录处理程序,我不知道为什么会有这么多登录处理程序:handler 我知道,我们正在使用“externalAuthn”登录处理程序,但我不知道为什么要使用 剩余的处理器。我可以知道我们应该使用剩余的远程用户和IP地址吗 外部作者Java Shibboleth中的登录处理程序身份验证方法,java,authentication,shibboleth,Java,Authentication,Shibboleth,我正在handler.xml文件中使用以下登录处理程序,我不知道为什么会有这么多登录处理程序:handler 我知道,我们正在使用“externalAuthn”登录处理程序,但我不知道为什么要使用 剩余的处理器。我可以知道我们应该使用剩余的远程用户和IP地址吗 外部作者 Handler.xml <?xml version="1.0" encoding="UTF-8"?> <ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibb
Handler.xml
<?xml version="1.0" encoding="UTF-8"?>
<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd">
<!-- Error Handler -->
<ph:ErrorHandler xsi:type="ph:JSPErrorHandler" jspPagePath="/error.jsp"/>
<!-- Profile Handlers -->
<!--
All profile handlers defined below are accessed via the Servlet path "/profile" so if your profile
handler's request path is "/Status" then the full path is "<servletContextName>/profile/Status"
-->
<ph:ProfileHandler xsi:type="ph:Status">
<ph:RequestPath>/Status</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAMLMetadata" metadataFile="D:/SDC-Builds/SRDM2.3.0.6904.10/SRDM/Svr/IdP/IdPserver/metadata/idp-metadata.xml">
<ph:RequestPath>/Metadata/SAML</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:ShibbolethSSO" inboundBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:profiles:browser-post
urn:oasis:names:tc:SAML:1.0:profiles:artifact-01">
<ph:RequestPath>/Shibboleth/SSO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML1AttributeQuery" inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding">
<ph:RequestPath>/SAML1/SOAP/AttributeQuery</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML1ArtifactResolution" inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding">
<ph:RequestPath>/SAML1/SOAP/ArtifactResolution</ph:RequestPath>
</ph:ProfileHandler>
<!-- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign -->
<ph:ProfileHandler xsi:type="ph:SAML2SSO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<ph:RequestPath>/SAML2/POST/SSO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2SSO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<ph:RequestPath>/SAML2/POST-SimpleSign/SSO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2SSO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<ph:RequestPath>/SAML2/Redirect/SSO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2SSO" inboundBinding="urn:mace:shibboleth:2.0:profiles:AuthnRequest"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<ph:RequestPath>/SAML2/Unsolicited/SSO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2ECP" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
<ph:RequestPath>/SAML2/SOAP/ECP</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<ph:RequestPath>/SAML2/Redirect/SLO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<ph:RequestPath>/SAML2/POST/SLO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
<ph:RequestPath>/SAML2/POST-SimpleSign/SLO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
<ph:RequestPath>/SAML2/SOAP/SLO</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2SLO" inboundBinding="urn:mace:shibboleth:2.0:profiles:LocalLogout">
<ph:RequestPath>/Logout</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2AttributeQuery" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
<ph:RequestPath>/SAML2/SOAP/AttributeQuery</ph:RequestPath>
</ph:ProfileHandler>
<ph:ProfileHandler xsi:type="ph:SAML2ArtifactResolution" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
<ph:RequestPath>/SAML2/SOAP/ArtifactResolution</ph:RequestPath>
</ph:ProfileHandler>
<!-- Login Handlers -->
<ph:LoginHandler xsi:type="ph:RemoteUser">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
</ph:LoginHandler>
<!-- Login handler that delegates the act of authentication to an external system. -->
<!-- This login handler and the RemoteUser login handler will be merged in the next major release. -->
<!--
<ph:LoginHandler xsi:type="ph:ExternalAuthn">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
<ph:QueryParam name="foo" value="bar" />
</ph:LoginHandler>
-->
<ph:LoginHandler xsi:type="ph:ExternalAuthn"
externalAuthnPath="/external/login"
supportsForcedAuthentication="true" >
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
<ph:LoginHandler xsi:type="ph:IPAddress" username="ip-user" defaultDeny="true">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</ph:AuthenticationMethod>
<ph:IPEntry>127.0.0.1/16</ph:IPEntry>
</ph:LoginHandler>
<!--
<ph:LoginHandler xsi:type="ph:IPAddress" username="ip-user" defaultDeny="true">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</ph:AuthenticationMethod>
<ph:IPEntry>127.0.0.1/16</ph:IPEntry>
</ph:LoginHandler> -->
<!--
Removal of this login handler will disable SSO support, that is it will require the user to authenticate
on every request.
<ph:LoginHandler xsi:type="ph:PreviousSession">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod>
</ph:LoginHandler>
<ph:LoginHandler xsi:type="ph:PreviousSession">
<ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod>
</ph:LoginHandler>
-->
</ph:ProfileHandlerGroup>
Handler.xml
/地位
/元数据/SAML
/希伯利斯/SSO
/SAML1/SOAP/AttributeQuery
/SAML1/SOAP/ArtifactResolution
/SAML2/POST/SSO
/SAML2/后简单设计/SSO
/SAML2/重定向/SSO
/SAML2/未经请求的/SSO
/SAML2/SOAP/ECP
/SAML2/重定向/SLO
/SAML2/POST/SLO
/SAML2/后简单设计/SLO
/SAML2/SOAP/SLO
/注销
/SAML2/SOAP/AttributeQuery
/SAML2/SOAP/ArtifactResolution
urn:oasis:name:tc:SAML:2.0:ac:classes:未指定
urn:oasis:name:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
urn:oasis:name:tc:SAML:2.0:ac:classes:InternetProtocol
127.0.0.1/16
/external/login远程用户,然后由IdP读取。您可能唯一关心的另一种身份验证机制是上一个会话,它实际上使SSO得以实现
在默认情况下,当您从IdP配置文件的新副本开始时,其中大多数文件周围都有一个很大的XML注释。也许你忽略了他们实际上已经残疾了?谢谢@Martin,因为我对这个垃圾场和SSO都是新手,所以我没有得到适当的澄清。我通过删除“ph:RemoteUser”和“ph:IpAddress”来检查我的应用程序是否正常工作。我认为这是我们放在handler.xml中的不必要的代码,据我所知,其他(ipaddress,remoteuser)没有在我的应用程序中使用。但您是说remoteUser也用于Idp端。我们已经在xml文件中注释了上一个会话。您需要向我们显示整个文件,以便能够检查处理程序是否被注释掉。但一般来说,除非您正在进行容器身份验证,否则您不需要外部登录处理程序。Hello@Martin,请查看我的整个handler.xml,它在我们的应用程序中包含已注释和已使用的代码。Hello@User,它看起来肯定像是有人从默认设置中取消了注释。退房您可能可以注释掉除外部authn处理程序之外的所有处理程序。顺便说一句,这很容易测试(你确实有一个测试系统,对吗?),所以只要尝试一下——你需要的登录处理程序的最小数量是1。谢谢@Martin,上一个会话有一条注释,说明必须使用它,我们也已经注释掉了。