我正在使用以下Spring Security 1.0.2.RELEASE示例代码在JSP(下面的最后一个代码示例)中从Spring获取我的SAML Assertion。我正在尝试像在SAMPLE应用程序中那样做。我可以看到,我的sp.xml和idp.xml可以正常使用PingIdentity,它在日志中显示格式良好的SAML Assertion(请参阅下面的Ping日志断言)。但是当我查看下面的“标记”变量时(请参阅下面的Spring代码示例),缺少签名值和摘要值。 ......标签仍然存在,否则看起来像一个OK SAML2 Assertion ......但是有一些基本的值,比如签名,即使ping实际上确实传递了这些值也会丢失。奇怪,这些ID匹配,并且也没有下文包括,大量从平安到春天角色的正确显示在SAML断言“令牌” vaiable ...Spring Security SAML扩展,SAML断言,Mangled,签名丢失
从平:
2017-10-05 12:43:58,119 tid:fv0iEyiXUF5yhlB_-cZnExX0YTc DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] Transported Response. OutMessageContext:
OutMessageContext
XML: <samlp:Response Version="2.0" ID="F5FQ26j6o6VT0zNdZ4r87pDw8NT" IssueInstant="2017-10-05T10:43:58.072Z" InResponseTo="a1786b4f3g394b812f9edd3ca26c80g" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">app1</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="VmzXJoyk.9mxifAuyt4.WWi3F1O" IssueInstant="2017-10-05T10:43:58.103Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>app1</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#VmzXJoyk.9mxifAuyt4.WWi3F1O">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>ZnT3MW5R1Nm9y/Pe8Br5m1BXXbXTc0VWeIIkUGyJaOI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>bHPhuD09Q2az7TxBvJo2LavF2N5YaroZoCNZzG17iJmSVycv0Gfq3liSKb2yIPhY0I9WVr8WwM/N
dw720okdsEuIbzuy/NYOlOCB3sFaZ6GmmU0FruUHyqjTjGOxHA6504KpvVQjEg3D5iJeNTovKtQR
tICvKjT4Hv9qTE3tg1viWTnih3xFM++gPffHhfKwWHjXMJTpyy5oQaviYUlQw7Elgv0cyN9ni/jJ
lFWC0QJJYXK8BwDdyY4MOqvTz8F4DgBnkwAQ+TnPUwuCRDL0ckW84knrWAh4qz18bQzVjSBpT+AI
7i6NiQ/1L/YnoRvRJ3EttAKUTEO3YrtkJPxcxQ==</ds:SignatureValue>
</ds:Signature>
<saml:Subject>
从春天(的值 “令牌” 下面):
<?xml version="1.0" encoding="UTF-8"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="VmzXJoyk.9mxifAuyt4.WWi3F1O" IssueInstant="2017-10-05T10:43:58.103Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml:Issuer>app1</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#VmzXJoyk.9mxifAuyt4.WWi3F1O">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
</ds:Signature>
弹簧安全代码:
<%@ page import="org.springframework.security.saml.SAMLCredential"%>
<%@ page import="org.springframework.security.core.context.SecurityContextHolder"%>
<%@ page import="org.springframework.security.core.Authentication"%>
<%@ page import="org.opensaml.saml2.core.Attribute"%>
<%@ page import="org.springframework.security.saml.util.SAMLUtil"%>
<%@ page import="org.opensaml.xml.util.XMLHelper"%>
(...)
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
SAMLCredential credential = (SAMLCredential) authentication.getCredentials();
(...)
String token = XMLHelper.nodeToString(SAMLUtil.marshallMessage(credential.getAuthenticationAssertion()));
仅供参考,在参考 “凭据” 变量中的Spring Security SAML应用摘录,credential.getAuthenticationAssertion()。getSignature( )使用签名algoythem返回一个对象,但Signature对象的所有其他成员都是null(keyInfo,keyLength等)。并且xmlSignature不可用,也许我正在阅读的openSAML API与Spring Security中的版本不同。 – tom