用Spring-SAML处理SAML响应_Spring_Saml_Saml 2.0_Spring Saml

用Spring-SAML处理SAML响应

spring

用Spring-SAML处理SAML响应,spring,saml,saml-2.0,spring-saml,Spring,Saml,Saml 2.0,Spring Saml,我使用Spring SAML开发了一个服务提供商。我已经配置了几个IDP，每个IDP都有不同的属性命名约定在成功的AuthN过程之后，我是否可以（在Tomcat的logs/catalina.out文件上）记录整个SAML响应是否有一些本机特性来定义特定IdP的EntityID与映射返回的用户ID的属性之间的关联我也在阅读有关OID格式的文章：如何正确解码此类数据更新：关于第一个问题，根据文档，我设置了调试日志和身份验证日志，如下所示： // Logger for SAML mess

我使用Spring SAML开发了一个服务提供商。我已经配置了几个IDP，每个IDP都有不同的属性命名约定

在成功的AuthN过程之后，我是否可以（在Tomcat的

logs/catalina.out

文件上）记录整个SAML响应

是否有一些本机特性来定义特定IdP的
EntityID
与映射返回的
用户ID
的属性之间的关联

我也在阅读有关OID格式的文章：如何正确解码此类数据

更新：
关于第一个问题，根据文档，我设置了调试日志和身份验证日志，如下所示：

// Logger for SAML messages and events @Bean public SAMLDefaultLogger samlDefaultLogger() { SAMLDefaultLogger samlDefaultLogger = new SAMLDefaultLogger(); samlDefaultLogger.setLogMessages(true); samlDefaultLogger.setLogErrors(true); return samlDefaultLogger; }

log4j.logger.org.springframework.security.saml=DEBUG log4j.logger.org.opensaml=DEBUG

[2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- MetadataCredentialResolver: Attempting to retrieve credentials from cache using index: [http:/test.idp.prv/services/trust,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] [2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- MetadataCredentialResolver: Retrieved credentials from cache using index: [http:/test.idp.prv/services/trust,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] [2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria [2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria [2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria [2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria [2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Attempting to verify signature and establish trust using KeyInfo-derived credentials [2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Found 0 key names: [] [2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data [2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping [2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping [2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider [2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Attempting to extract credential from an X509Data [2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Found 1 X509Certificates [2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Found 0 X509CRLs [2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Single certificate was present, treating as end-entity certificate [2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider [2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: A total of 1 credentials were resolved [2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria [2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Attempting to validate signature using key from supplied credential [2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Creating XMLSignature object [2014-07-29 14:13:51.995] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1 [2014-07-29 14:13:51.995] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' [2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Signature validated with key from supplied credential [2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Signature validation using candidate credential was successful [2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Successfully verified signature using KeyInfo-derived credential [2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Attempting to establish trust of KeyInfo-derived credential [2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- ExplicitKeyTrustEvaluator: Successfully validated untrusted credential against trusted key [2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Successfully established trust of KeyInfo-derived credential [2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- WebSSOProfileConsumerImpl: Processing Bearer subject confirmation [2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- WebSSOProfileConsumerImpl: Verifying received AuthnContext org.opensaml.saml2.core.impl.AuthnContextImpl@3ab2fc5f against requested null [2014-07-29 14:13:52.001] boot - 1118 INFO [http-bio-443-exec-38] --- PrismaUserDetailsServiceImpl: SAML Response EntityID: urn:com:vdenotaris:mysp [2014-07-29 14:13:52.001] boot - 1118 INFO [http-bio-443-exec-38] --- PrismaUserDetailsServiceImpl: SAML Response RemoteEntityID: http:/test.idp.prv/services/trust
然后，通过定义
log4j.properties
如下：

// Logger for SAML messages and events @Bean public SAMLDefaultLogger samlDefaultLogger() { SAMLDefaultLogger samlDefaultLogger = new SAMLDefaultLogger(); samlDefaultLogger.setLogMessages(true); samlDefaultLogger.setLogErrors(true); return samlDefaultLogger; }

log4j.logger.org.springframework.security.saml=DEBUG log4j.logger.org.opensaml=DEBUG

[2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- MetadataCredentialResolver: Attempting to retrieve credentials from cache using index: [http:/test.idp.prv/services/trust,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] [2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- MetadataCredentialResolver: Retrieved credentials from cache using index: [http:/test.idp.prv/services/trust,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING] [2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria [2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria [2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria [2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria [2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Attempting to verify signature and establish trust using KeyInfo-derived credentials [2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Found 0 key names: [] [2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data [2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping [2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping [2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider [2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Attempting to extract credential from an X509Data [2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Found 1 X509Certificates [2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Found 0 X509CRLs [2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Single certificate was present, treating as end-entity certificate [2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider [2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: A total of 1 credentials were resolved [2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria [2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Attempting to validate signature using key from supplied credential [2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Creating XMLSignature object [2014-07-29 14:13:51.995] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1 [2014-07-29 14:13:51.995] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' [2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Signature validated with key from supplied credential [2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Signature validation using candidate credential was successful [2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Successfully verified signature using KeyInfo-derived credential [2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Attempting to establish trust of KeyInfo-derived credential [2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- ExplicitKeyTrustEvaluator: Successfully validated untrusted credential against trusted key [2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Successfully established trust of KeyInfo-derived credential [2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- WebSSOProfileConsumerImpl: Processing Bearer subject confirmation [2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- WebSSOProfileConsumerImpl: Verifying received AuthnContext org.opensaml.saml2.core.impl.AuthnContextImpl@3ab2fc5f against requested null [2014-07-29 14:13:52.001] boot - 1118 INFO [http-bio-443-exec-38] --- PrismaUserDetailsServiceImpl: SAML Response EntityID: urn:com:vdenotaris:mysp [2014-07-29 14:13:52.001] boot - 1118 INFO [http-bio-443-exec-38] --- PrismaUserDetailsServiceImpl: SAML Response RemoteEntityID: http:/test.idp.prv/services/trust
通过正确配置Maven
pom.xml

<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter</artifactId> <exclusions> <exclusion> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-logging</artifactId> </exclusion> </exclusions> </dependency>
请注意，最后两行是由我手动定义的

您可以使用调试日志（）或身份验证日志（），并将
logMessages
属性设置为
true
。两者都能够将消息记录到catalina.out（因为它们只是将日志发送到slf4j）

不需要，您需要将这种逻辑实现到
SAMLUserDetailsService

您可以通过调用
getAttributeByName
和
getAttributes
，从
SAMLCredential
对象加载所有接收到的属性，返回的
Attribute
对象包含允许您解析任何接收到的属性结构的方法。Spring SAML中没有包含特定的解析器
具有某些OID类型数据的属性通常编码为
xsd:string
或
xsd:xsd:base64Binary
，您可以获得这两个属性的原始字符串值，如第9.4章的示例所示。提供将编码字符串解析为相应Java类型（基于OID）的其他可能性超出了Spring SAML的范围

你对它感兴趣吗？你指的是这个吗？
添加这个怎么样：

log4j.logger.PROTOCOL_MESSAGE=DEBUG
或者这是回写：

<logger name="PROTOCOL_MESSAGE" level="DEBUG" />

我应该解析此类响应：该文档中的值只是字符串，您不需要对它们进行任何特殊解析。请务必阅读手册中的第6.5章。。。它包含以下内容：log4j.logger.PROTOCOL_MESSAGE=DEBUG，它将开始记录SAML消息的内容。抱歉，我完全错过了这一行！没问题。顺便说一句，由于某些原因，我在日志中没有看到SAMLDefaultLogger的输出，否则会包含解密的消息。您可能仍然希望了解这一点，这可能是一些日志配置问题。该行应该如下所示：2014-07-29 15:46:54.676 INFO 7688---[nio-8080-exec-5]o.s.security.saml.log.SAMLDefaultLogger:AuthNRequest；成功；0:0:0:0:0:0:0:1;urn:it:miur:prisma；www.ssoccircle.com ;；；