Java 使用Spring SAML从https加载元数据_Java_Spring_Spring Security_Saml_Spring Saml

Java 使用Spring SAML从https加载元数据

java spring spring-security

Java 使用Spring SAML从https加载元数据,java,spring,spring-security,saml,spring-saml,Java,Spring,Spring Security,Saml,Spring Saml,我想使用https协议从web导入一些元数据： @Bean public HTTPMetadataProvider ssoCircleMetadataProvider() throws MetadataProviderException { String metadataURL = "https://idp.ssocircle.com/idp-meta.xml"; final Timer backgroundTaskTimer = new Timer(true);

我想使用https协议从web导入一些元数据：

@Bean
public HTTPMetadataProvider ssoCircleMetadataProvider()
        throws MetadataProviderException {
    String metadataURL = "https://idp.ssocircle.com/idp-meta.xml";
    final Timer backgroundTaskTimer = new Timer(true);
    HTTPMetadataProvider provider = new HTTPMetadataProvider(
            backgroundTaskTimer, httpClient(), metadataURL);
    provider.setParserPool(parserPool());
    return provider;
}

通过阅读，我发现了以下步骤：

默认情况下，通过基于HTTP的提供程序加载元数据 HTTPS执行JDK中配置的信任验证。万一如果要在密钥库中使用证书，请添加以下内容更改HTTP客户端使用的socketFactory的bean：

但是未找到

org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory

类结果。我正在使用Spring SAML的

1.0.0-RC2

版本

我做错什么了吗

如何修复此错误并根据需要加载元数据

更新

通过使用快照存储库，我能够使用TLSProtocolSocketFactory类。我已将SSOCIRCE证书导入密钥库，但尽管如此，应用程序仍返回一个错误，如下所示：

[2014-07-31 17:33:27.596] boot - 11800 ERROR [localhost-startStop-1] --- HTTPMetadataProvider:    Error retrieving metadata from https://idp.ssocircle.com/idp-meta.xml
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

更新2

我已经按照你的建议修改了代码。我已将所有证书导入密钥库，但在启动时，应用程序返回以下错误：

[2014-08-01 10:02:38.961] boot - 14704 DEBUG [localhost-startStop-1] --- BasicX509CredentialNameEvaluator: Supplied trusted names are null or empty, skipping name evaluation
[2014-08-01 10:02:38.962] boot - 14704 DEBUG [localhost-startStop-1] --- MetadataCredentialResolver: Attempting PKIX path validation on untrusted credential: [subjectName='CN=ADFS Signing - ststest-vdenotarisnet.vdenotaris.it']
[2014-08-01 10:02:39.028] boot - 14704 ERROR [localhost-startStop-1] --- MetadataCredentialResolver: PKIX path construction failed for untrusted credential: [subjectName='CN=ADFS Signing - ststest-vdenotarisnet.vdenotaris.it']: unable to find valid certification path to requested target
[2014-08-01 10:02:39.028] boot - 14704 DEBUG [localhost-startStop-1] --- PKIXSignatureTrustEngine: Signature trust could not be established via PKIX validation of signing credential
[2014-08-01 10:02:39.028] boot - 14704 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Failed to establish trust of KeyInfo-derived credential
[2014-08-01 10:02:39.028] boot - 14704 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
[2014-08-01 10:02:39.029] boot - 14704 DEBUG [localhost-startStop-1] --- PKIXSignatureTrustEngine: PKIX validation of signature failed, unable to resolve valid and trusted signing key
[2014-08-01 10:02:39.029] boot - 14704 ERROR [localhost-startStop-1] --- SignatureValidationFilter: Signature trust establishment failed for metadata entry http://ststest.vdenotaris.local/adfs/services/trust
[2014-08-01 10:02:39.031] boot - 14704 ERROR [localhost-startStop-1] --- AbstractReloadingMetadataProvider: Error filtering metadata from https://ststest.vdenotaris.local/FederationMetadata/2007-06/FederationMetadata.xml
org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

请注意，使用的证书由GoDaddy验证。

TLSProtocolSocketFactory类仅在中继中可用，并且将是1.0.0.FINAL的一部分。RC2中唯一的选择是向JDK的密钥库添加密钥

更新：

Spring SAML的快照版本在此存储库中提供：

<repository>
  <releases>
    <enabled>false</enabled>
  </releases>
  <snapshots>
    <enabled>true</enabled>
  </snapshots>
  <id>com.springsource.repository.maven.snapshot</id>
  <name>SpringSource Enterprise Bundle Maven Repository - SpringSource Snapshot Releases</name>
  <url>http://maven.springframework.org/snapshot</url>
</repository>

有没有办法通过Maven使用主干？我切换到了1.0.0.RC3-SNAPSHOT，但该类仍然缺失。该类在这里，在夜间构建中也在这里，您可能有错误的版本，或者问题在其他地方，可能异常有更多信息？我的Nexus服务器有问题。现在似乎没问题了。我还有一个问题：这个过程也适用于自签名证书吗？使用-Djavax.net.debug=all启动应用程序，让我们看看它说了什么-日志跟踪应该包括关于PKIX失败原因的更多详细信息。你的证书有可能过期吗？请仔细检查您是否已将正确的密钥导入samlKeystore.jksBtw。我已简化了配置，一旦您更新到更高版本，您唯一需要做的就是包含类bean org.springframework.security.saml.trust.httpclient.tlsprotocolconfigurer导入正确，我确信这一点。证书仍然有效。我将很快通过提供建议的javax.net调试选项来检查应用程序。我确信导入现在是正确的，这不是我的观点-我制作了TLSProtocolConfigurer来简化它，以供将来尝试配置相同功能的人使用，我想提醒你，一旦你更新了，你就必须重新配置。它将在明天的夜间构建中。

[2014-08-01 10:02:38.961] boot - 14704 DEBUG [localhost-startStop-1] --- BasicX509CredentialNameEvaluator: Supplied trusted names are null or empty, skipping name evaluation
[2014-08-01 10:02:38.962] boot - 14704 DEBUG [localhost-startStop-1] --- MetadataCredentialResolver: Attempting PKIX path validation on untrusted credential: [subjectName='CN=ADFS Signing - ststest-vdenotarisnet.vdenotaris.it']
[2014-08-01 10:02:39.028] boot - 14704 ERROR [localhost-startStop-1] --- MetadataCredentialResolver: PKIX path construction failed for untrusted credential: [subjectName='CN=ADFS Signing - ststest-vdenotarisnet.vdenotaris.it']: unable to find valid certification path to requested target
[2014-08-01 10:02:39.028] boot - 14704 DEBUG [localhost-startStop-1] --- PKIXSignatureTrustEngine: Signature trust could not be established via PKIX validation of signing credential
[2014-08-01 10:02:39.028] boot - 14704 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Failed to establish trust of KeyInfo-derived credential
[2014-08-01 10:02:39.028] boot - 14704 DEBUG [localhost-startStop-1] --- BaseSignatureTrustEngine: Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
[2014-08-01 10:02:39.029] boot - 14704 DEBUG [localhost-startStop-1] --- PKIXSignatureTrustEngine: PKIX validation of signature failed, unable to resolve valid and trusted signing key
[2014-08-01 10:02:39.029] boot - 14704 ERROR [localhost-startStop-1] --- SignatureValidationFilter: Signature trust establishment failed for metadata entry http://ststest.vdenotaris.local/adfs/services/trust
[2014-08-01 10:02:39.031] boot - 14704 ERROR [localhost-startStop-1] --- AbstractReloadingMetadataProvider: Error filtering metadata from https://ststest.vdenotaris.local/FederationMetadata/2007-06/FederationMetadata.xml
org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

<repository>
  <releases>
    <enabled>false</enabled>
  </releases>
  <snapshots>
    <enabled>true</enabled>
  </snapshots>
  <id>com.springsource.repository.maven.snapshot</id>
  <name>SpringSource Enterprise Bundle Maven Repository - SpringSource Snapshot Releases</name>
  <url>http://maven.springframework.org/snapshot</url>
</repository>

@Bean
public ProtocolSocketFactory socketFactory() {
    return new TLSProtocolSocketFactory();
}

@Bean
public Protocol socketFactoryProtocol() {
    return new Protocol("https", socketFactory(), 443);
}

@Bean
public MethodInvokingFactoryBean socketFactoryInitialization() {
    MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
    methodInvokingFactoryBean.setTargetClass(Protocol.class);
    methodInvokingFactoryBean.setTargetMethod("registerProtocol");
    Object[] args = {"https", socketFactoryProtocol()};
    methodInvokingFactoryBean.setArguments(args);
    return methodInvokingFactoryBean;
}

@Bean
@Qualifier("metadata")
@DependsOn("socketFactoryInitialization")
public CachingMetadataManager metadata() throws MetadataProviderException, IOException     {
  ...
}