Spring security Spring Security-SAML证书可以';无法验证
我正在使用Spring security Spring Security-SAML证书可以';无法验证,spring-security,spring-saml,opensaml,simplesamlphp,Spring Security,Spring Saml,Opensaml,Simplesamlphp,我正在使用org.springframework.security:spring-security-saml2-service-provider版本5.3.3.RELEASE以及2.3.1.RELEASE版本中的spring-boot starter security来保护它 我使用docker图像kristophjunge/test saml idp作为身份提供者进行测试 当从Maven、IntelliJ或它的主要方法执行应用程序时,身份验证工作正常。当我从它构建war文件并在本地机器上的to
org.springframework.security:spring-security-saml2-service-provider5.3.3.RELEASE2.3.1.RELEASE版本中的spring-boot starter security
来保护它
我使用docker图像kristophjunge/test saml idp
作为身份提供者进行测试
当从Maven、IntelliJ或它的主要方法执行应用程序时,身份验证工作正常。当我从它构建war文件并在本地机器上的tomcat服务器(版本9)中执行应用程序时,身份验证工作正常
如果我将war文件部署到远程服务器,Ubuntu 20.04.1 LTS、相同的JDK、openjdk 14.0.1、相同的tomcat、相同的docker映像、相同的证书,则应用程序无法验证该证书
我已经为opensaml启用了调试日志。在我的计算机上成功的身份验证如下所示:
[http-nio-8080-exec-3] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Signature validation using candidate credential was successful
[http-nio-8080-exec-3] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential
[http-nio-8080-exec-3] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential
[http-nio-8080-exec-3] DEBUG org.opensaml.security.trust.impl.ExplicitKeyTrustEvaluator - Successfully validated untrusted credential against trusted key
[http-nio-8080-exec-3] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Successfully established trust of KeyInfo-derived credential
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Signature validation using candidate credential was successful
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Failed to establish trust of KeyInfo-derived credential
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
远程服务器上的日志输出如下所示:
[http-nio-8080-exec-3] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Signature validation using candidate credential was successful
[http-nio-8080-exec-3] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential
[http-nio-8080-exec-3] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential
[http-nio-8080-exec-3] DEBUG org.opensaml.security.trust.impl.ExplicitKeyTrustEvaluator - Successfully validated untrusted credential against trusted key
[http-nio-8080-exec-3] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Successfully established trust of KeyInfo-derived credential
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Signature validation using candidate credential was successful
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Successfully verified signature using KeyInfo-derived credential
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Attempting to establish trust of KeyInfo-derived credential
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Failed to establish trust of KeyInfo-derived credential
[http-nio-8080-exec-41] DEBUG org.opensaml.xmlsec.signature.support.impl.BaseSignatureTrustEngine - Failed to verify signature and/or establish trust using any KeyInfo-derived credentials
我修补了自签名证书,认为错误可能来自于在非本地主机域上访问的应用程序。我创建了一个根证书,将其添加到JDK的cacerts密钥库中,并从中派生出IDP的证书。重新启动tomcat,不起作用
但真正奇怪的是:如果我将应用程序作为一个独立的jar文件运行,那么认证过程就可以工作,即使是在远程服务器上。不幸的是,这对我来说不可行。我只能使用集成的tomcat服务器进行开发
我使用Kotlin配置了如下安全性:
@EnableWebSecurity
class SecurityConfig(/* autowired configuration properties */) {
override fun configure(http: HttpSecurity) {
http
.authorizeRequests()
.antMatchers("/error").permitAll()
.anyRequest().authenticated()
.and()
.saml2Login()
.relyingPartyRegistrationRepository(
InMemoryRelyingPartyRegistrationRepository(
relyingPartyRegistration()
))
.authenticationManager(DbBasedUserDetailsService(rightsRepository))
}
private fun relyingPartyRegistration(): RelyingPartyRegistration =
RelyingPartyRegistration
.withRegistrationId(registrationId)
.providerDetails {
it.entityId(entityId)
it.webSsoUrl(webSsoUrl)
}
.assertionConsumerServiceUrlTemplate(assertionUrlTemplate)
.credentials {
it.add(
Saml2X509Credential(
x509Certificate(idpKey),
Saml2X509Credential.Saml2X509CredentialType.VERIFICATION))
}.credentials {
it.add(
Saml2X509Credential(
privateKey(),
x509Certificate(localCert),
Saml2X509Credential.Saml2X509CredentialType.SIGNING))
}
.build()
private fun privateKey(): PrivateKey =
KeyFactory
.getInstance("RSA")
.generatePrivate(PKCS8EncodedKeySpec(privateKey.inputStream.readBytes()))
private fun x509Certificate(res: Resource) =
CertificateFactory
.getInstance("X.509")
.generateCertificate(res.inputStream)
as X509Certificate
}
它基本上类似于javadoc示例
有人能给我一个线索吗