Single sign on “;HTTP状态401-身份验证失败:传入SAML消息无效”;spring saml应用程序和VMWare Horizon
我们的应用程序使用spring saml auth,并与VMWare Horizon结合使用。我们已经成功地使用了该应用程序,但是随着迁移到new Horizon Workspace 2.0,出现了一些问题 下面是catalina.out的调试日志。我所看到的只是SAML是无效的,但我不明白为什么Single sign on “;HTTP状态401-身份验证失败:传入SAML消息无效”;spring saml应用程序和VMWare Horizon,single-sign-on,saml-2.0,spring-saml,Single Sign On,Saml 2.0,Spring Saml,我们的应用程序使用spring saml auth,并与VMWare Horizon结合使用。我们已经成功地使用了该应用程序,但是随着迁移到new Horizon Workspace 2.0,出现了一些问题 下面是catalina.out的调试日志。我所看到的只是SAML是无效的,但我不明白为什么 DEBUG org.apache.xml.security.utils.IdResolver - getElementByIdUsingDOM() Search for ID http___app
DEBUG org.apache.xml.security.utils.IdResolver - getElementByIdUsingDOM() Search for ID http___app.application.us_app_saml_metadata_alias_defaultAlias
2014-07-02 14:47:47,846 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.IdResolver - I could find an Element using the simple getElementByIdUsingDOM method: md:EntityDescriptor
2014-07-02 14:47:47,846 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.resolver.implementations.ResolverFragment - Try to catch an Element with ID http___app.application.us_app_saml_metadata_alias_defaultAlias and Element was [md:EntityDescriptor: null]
2014-07-02 14:47:47,848 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "null")
2014-07-02 14:47:47,848 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.transforms.Transforms - Perform the (0)th http://www.w3.org/2000/09/xmldsig#enveloped-signature transform
2014-07-02 14:47:47,849 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "null")
2014-07-02 14:47:47,854 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.DigesterOutputStream - Pre-digested input:
2014-07-02 14:47:47,855 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.DigesterOutputStream - <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="http___app.application.us_app_saml_metadata_alias_defaultAlias" entityID="http://app.application.us/app/saml/metadata/alias/defaultAlias"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIICgjCCAesCBGpSpuowDQYJKoZIhvcNAQEFBQAwgYcxLzAtBgkqhkiG9w0BCQEWIHZsYWRpbWly
LnNjaGFmZXJAcm01c29mdHdhcmUuY29tMQswCQYDVQQGEwJGSTERMA8GA1UEBxMISGVsc2lua2kx
FTATBgNVBAoTDFJNNSBTb2Z0d2FyZTEMMAoGA1UECxMDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcN
MDgxMTI5MjIxNjA0WhcNMDkxMjI4MjIwMDAwWjCBhzEvMC0GCSqGSIb3DQEJARYgdmxhZGltaXIu
c2NoYWZlckBybTVzb2Z0d2FyZS5jb20xCzAJBgNVBAYTAkZJMREwDwYDVQQHEwhIZWxzaW5raTEV
MBMGA1UEChMMUk01IFNvZnR3YXJlMQwwCgYDVQQLEwNSJkQxDzANBgNVBAMTBmFwb2xsbzCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsoEvHts4n4EwloxJNueekYYF8xjoV1AtXHAAW0c+Qtb
uEXR8wG1QzSlcasTua+iGsC+wK4T8l0IH9Y3+oVaDVbpzrWr2li9zhJB+htJYZ0t7m+3GEIeNlr1
qkUum/uNxUthklrhg2zCVW0b4NFDP/jI4rARsAkGXa7z/AgonrUCAwEAATANBgkqhkiG9w0BAQUF
AAOBgQArpq022JktjH3EHw0b4+CFrPzAXFuSd8WXWzoT6YZTgbcLR9K38383mMXoBjHdX3SYr0uF
njEwP6gqo8KyzXxsqlvTkUSkGAAzxLuQ4rwnandQMr8H0Wq7x5Cwa7Z3NDT/Q4EE3xRJOpoRgjyH
STdzW1akQ9dX2Et/8TiJe6SHuQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIICgjCCAesCBGpSpuowDQYJKoZIhvcNAQEFBQAwgYcxLzAtBgkqhkiG9w0BCQEWIHZsYWRpbWly
LnNjaGFmZXJAcm01c29mdHdhcmUuY29tMQswCQYDVQQGEwJGSTERMA8GA1UEBxMISGVsc2lua2kx
FTATBgNVBAoTDFJNNSBTb2Z0d2FyZTEMMAoGA1UECxMDUiZEMQ8wDQYDVQQDEwZhcG9sbG8wHhcN
MDgxMTI5MjIxNjA0WhcNMDkxMjI4MjIwMDAwWjCBhzEvMC0GCSqGSIb3DQEJARYgdmxhZGltaXIu
c2NoYWZlckBybTVzb2Z0d2FyZS5jb20xCzAJBgNVBAYTAkZJMREwDwYDVQQHEwhIZWxzaW5raTEV
MBMGA1UEChMMUk01IFNvZnR3YXJlMQwwCgYDVQQLEwNSJkQxDzANBgNVBAMTBmFwb2xsbzCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArsoEvHts4n4EwloxJNueekYYF8xjoV1AtXHAAW0c+Qtb
uEXR8wG1QzSlcasTua+iGsC+wK4T8l0IH9Y3+oVaDVbpzrWr2li9zhJB+htJYZ0t7m+3GEIeNlr1
qkUum/uNxUthklrhg2zCVW0b4NFDP/jI4rARsAkGXa7z/AgonrUCAwEAATANBgkqhkiG9w0BAQUF
AAOBgQArpq022JktjH3EHw0b4+CFrPzAXFuSd8WXWzoT6YZTgbcLR9K38383mMXoBjHdX3SYr0uF
njEwP6gqo8KyzXxsqlvTkUSkGAAzxLuQ4rwnandQMr8H0Wq7x5Cwa7Z3NDT/Q4EE3xRJOpoRgjyH
STdzW1akQ9dX2Et/8TiJe6SHuQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://app.application.us/app/saml/SingleLogout/alias/defaultAlias"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://app.application.us/app/saml/SingleLogout/alias/defaultAlias"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://app.application.us/app/saml/SSO/alias/defaultAlias" index="0" isDefault="true"></md:AssertionConsumerService><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://app.application.us/app/saml/SSO/alias/defaultAlias" index="1"></md:AssertionConsumerService><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://app.application.us/app/saml/SSO/alias/defaultAlias" index="2"></md:AssertionConsumerService><md:AssertionConsumerService xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="http://app.application.us/app/saml/HoKSSO/alias/defaultAlias" index="3" hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"></md:AssertionConsumerService><md:AssertionConsumerService xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="http://app.application.us/app/saml/HoKSSO/alias/defaultAlias" index="4" hoksso:ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"></md:AssertionConsumerService></md:SPSSODescriptor></md:EntityDescriptor>
2014-07-02 14:47:47,858 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.SignerOutputStream - Canonicalized SignedInfo:
2014-07-02 14:47:47,858 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.SignerOutputStream - <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#http___app.application.us_app_saml_metadata_alias_defaultAlias"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>p/YIWZw2jbJJB4tTVBrLt5jmLrM=</ds:DigestValue></ds:Reference></ds:SignedInfo>
2014-07-02 14:47:47,888 [http-bio-8080-exec-1] DEBUG org.apache.commons.httpclient.HttpConnection - Open connection to gateway-va.application.us:443
2014-07-02 14:47:52,891 [http-bio-8080-exec-1] DEBUG org.apache.commons.httpclient.HttpMethodDirector - Closing the connection.
2014-07-02 14:47:52,891 [http-bio-8080-exec-1] DEBUG org.apache.commons.httpclient.HttpMethodDirector - Method retry handler returned false. Automatic recovery will not be attempted
2014-07-02 14:47:52,891 [http-bio-8080-exec-1] DEBUG org.apache.commons.httpclient.HttpConnection - Releasing connection back to connection manager.
2014-07-02 14:47:52,893 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /saml/SSO/alias/defaultAlias at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-07-02 14:47:52,894 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-07-02 14:47:52,894 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@3e0a52d3. A new one will be created.
2014-07-02 14:47:52,897 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /saml/SSO/alias/defaultAlias at position 3 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2014-07-02 14:47:52,906 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /saml/SSO/alias/defaultAlias at position 4 of 10 in additional filter chain; firing Filter: 'FilterChainProxy'
2014-07-02 14:47:52,906 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/saml/sso/alias/defaultalias'; against '/saml/login/**'
2014-07-02 14:47:52,906 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/saml/sso/alias/defaultalias'; against '/saml/logout/**'
2014-07-02 14:47:52,906 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/saml/sso/alias/defaultalias'; against '/saml/metadata/**'
2014-07-02 14:47:52,907 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/saml/sso/alias/defaultalias'; against '/saml/sso/**'
2014-07-02 14:47:52,907 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.FilterChainProxy - /saml/SSO/alias/defaultAlias at position 1 of 1 in additional filter chain; firing Filter: 'SAMLProcessingFilter'
2014-07-02 14:47:52,907 [http-bio-8080-exec-1] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Request is to process authentication
2014-07-02 14:47:52,959 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Signature", "")
2014-07-02 14:47:52,959 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignedInfo", "")
2014-07-02 14:47:52,960 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignatureMethod", "")
2014-07-02 14:47:52,962 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Signature", "")
2014-07-02 14:47:52,962 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignedInfo", "")
2014-07-02 14:47:52,962 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:SignatureMethod", "")
2014-07-02 14:47:52,972 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Reference", "")
2014-07-02 14:47:52,972 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transforms", "")
2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.IdResolver - getElementByIdType() Search for ID _99f9607e4086b3e566244a576acf6b69
2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.IdResolver - getElementByIdUsingDOM() Search for ID _99f9607e4086b3e566244a576acf6b69
2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.IdResolver - I could find an Element using the simple getElementByIdUsingDOM method: samlp:Response
2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "")
2014-07-02 14:47:52,973 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.utils.ElementProxy - setElement("ds:Transform", "")
2014-07-02 14:47:52,974 [http-bio-8080-exec-1] DEBUG org.apache.xml.security.algorithms.JCEMapper - Request for URI http://www.w3.org/2000/09/xmldsig#rsa-sha1
2014-07-02 14:47:52,976 [http-bio-8080-exec-1] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid
2014-07-02 14:47:52,977 [http-bio-8080-exec-1] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Updated SecurityContextHolder to contain null Authentication
2014-07-02 14:47:52,977 [http-bio-8080-exec-1] DEBUG org.springframework.security.saml.SAMLProcessingFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@5409ae
2014-07-02 14:47:52,977 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
2014-07-02 14:47:52,977 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2014-07-02 14:47:52,979 [http-bio-8080-exec-1] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2014-07-02 14:48:07,001 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/web/**'
2014-07-02 14:48:07,002 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/logout.jsp'
2014-07-02 14:48:07,002 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/favicon.ico'
2014-07-02 14:48:07,002 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 1 of 10 in additional filter chain; firing Filter: 'MetadataGeneratorFilter'
2014-07-02 14:48:07,002 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@33125360. A new one will be created.
2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 3 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 4 of 10 in additional filter chain; firing Filter: 'FilterChainProxy'
2014-07-02 14:48:07,003 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/login/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/logout/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/metadata/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/sso/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/ssohok/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/singlelogout/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.util.matcher.AntPathRequestMatcher - Checking match of request : '/index.jsp'; against '/saml/discovery/**'
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp has no matching filters
2014-07-02 14:48:07,004 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals)
2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/app/; arg2=/app/ (property equals)
2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - serverPort: arg1=8080; arg2=8080 (property equals)
2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURL: arg1=http://application.us:8080/app/; arg2=http://application.us:8080/app/ (property equals)
2014-07-02 14:48:07,005 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - scheme: arg1=http; arg2=http (property equals)
2014-07-02 14:48:07,006 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - serverName: arg1=application.us; arg2=application.us (property equals)
2014-07-02 14:48:07,006 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - contextPath: arg1=/app; arg2=/app (property equals)
2014-07-02 14:48:07,006 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - servletPath: arg1=/index.jsp; arg2=/index.jsp (property equals)
2014-07-02 14:48:07,006 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
2014-07-02 14:48:07,009 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-07-02 14:48:07,011 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2014-07-02 14:48:07,012 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8dbd0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: 606210049192D854D1A0CB2BBB41861D; Granted Authorities: ROLE_ANONYMOUS'
2014-07-02 14:48:07,012 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2014-07-02 14:48:07,013 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-07-02 14:48:07,013 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.FilterChainProxy - /index.jsp at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2014-07-02 14:48:07,014 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /index.jsp; Attributes: [IS_AUTHENTICATED_FULLY]
2014-07-02 14:48:07,014 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8dbd0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: 606210049192D854D1A0CB2BBB41861D; Granted Authorities: ROLE_ANONYMOUS
2014-07-02 14:48:07,014 [http-bio-8080-exec-3] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@1ab2e368, returned: 0
2014-07-02 14:48:07,014 [http-bio-8080-exec-3] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@566fce89, returned: -1
2014-07-02 14:48:07,018 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:186)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:409)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1044)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:701)
2014-07-02 14:48:07,021 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://application.us:8080/app/]
2014-07-02 14:48:07,022 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Calling Authentication entry point.
2014-07-02 14:48:07,023 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2014-07-02 14:48:07,023 [http-bio-8080-exec-3] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
我们已经在托管SP的tomcat java keystone中安装了horizon证书,但没有效果。非常感谢您的帮助。Spring SAML中有一个功能,允许您更改扩展所显示的URL。您可以在(第9.1章)中找到详细信息。通过将上下文提供程序bean更改为,例如:
<bean id="contextProvider"
class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="http"/>
<property name="serverName" value="app.application.us"/>
<property name="serverPort" value="80"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/app"/>
</bean>
当然,您也可以更改元数据以包含正确的URL。您可以从这里将Spring SAML jar更新为主干版本,再次运行并发布新日志吗?自RC2以来,日志记录已经得到了改进,现在它将包括整个异常。来自地平线的错误似乎并不相关,它只是说明用户的一个属性不会包含在断言中。请确保您的系统时钟在两台机器上同步,这始终是可能出现的问题之一。谢谢Vladimir,我已升级到RC3。我在最初的问题中替换了日志消息,但是我没有看到更多的信息来解释我遗漏了什么。还有其他提示吗?恐怕新日志还没有完成,它在整个SAML交换之前调用entry point=时结束。你能把剩下的加上吗?这是我的错。您包括哪些slf4j绑定罐?您的日志记录配置是什么?问题是,您的日志似乎不包含来自Spring SAML(使用SLF4J)的任何消息,只包含来自Spring Security(使用commons日志)的消息,因此我们仍然缺少分析问题的关键部分。另一个选项是使用SAMLProcessingFilter第87行(SAMLException catch块)中的断点调试应用程序,并让我知道异常的内容。有没有办法在我的应用程序yaml配置中添加相同的配置
<bean id="contextProvider"
class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="http"/>
<property name="serverName" value="app.application.us"/>
<property name="serverPort" value="80"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/app"/>
</bean>