1. 首页
  2. 问答
  3. Spring Security SAML扩展,SAML断言,Mangled,签名丢失

Spring Security SAML扩展,SAML断言,Mangled,签名丢失

2017-10-05 235 views
0

我正在使用以下Spring Security 1.0.2.RELEASE示例代码在JSP(下面的最后一个代码示例)中从Spring获取我的SAML Assertion。我正在尝试像在SAMPLE应用程序中那样做。我可以看到,我的sp.xml和idp.xml可以正常使用PingIdentity,它在日志中显示格式良好的SAML Assertion(请参阅下面的Ping日志断言)。但是当我查看下面的“标记”变量时(请参阅下面的Spring代码示例),缺少签名值和摘要值。 ......标签仍然存在,否则看起来像一个OK SAML2 Assertion ......但是有一些基本的值,比如签名,即使ping实际上确实传递了这些值也会丢失。奇怪,这些ID匹配,并且也没有下文包括,大量从平安到春天角色的正确显示在SAML断言“令牌” vaiable ...Spring Security SAML扩展,SAML断言,Mangled,签名丢失

从平:

2017-10-05 12:43:58,119 tid:fv0iEyiXUF5yhlB_-cZnExX0YTc DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] Transported Response. OutMessageContext: 
OutMessageContext 
XML: <samlp:Response Version="2.0" ID="F5FQ26j6o6VT0zNdZ4r87pDw8NT" IssueInstant="2017-10-05T10:43:58.072Z" InResponseTo="a1786b4f3g394b812f9edd3ca26c80g" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">app1</saml:Issuer> 
    <samlp:Status> 
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> 
    </samlp:Status> 
    <saml:Assertion ID="VmzXJoyk.9mxifAuyt4.WWi3F1O" IssueInstant="2017-10-05T10:43:58.103Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> 
    <saml:Issuer>app1</saml:Issuer> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
     <ds:SignedInfo> 
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
     <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> 
     <ds:Reference URI="#VmzXJoyk.9mxifAuyt4.WWi3F1O"> 
      <ds:Transforms> 
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
      </ds:Transforms> 
      <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
      <ds:DigestValue>ZnT3MW5R1Nm9y/Pe8Br5m1BXXbXTc0VWeIIkUGyJaOI=</ds:DigestValue> 
     </ds:Reference> 
     </ds:SignedInfo> 
     <ds:SignatureValue>bHPhuD09Q2az7TxBvJo2LavF2N5YaroZoCNZzG17iJmSVycv0Gfq3liSKb2yIPhY0I9WVr8WwM/N 
dw720okdsEuIbzuy/NYOlOCB3sFaZ6GmmU0FruUHyqjTjGOxHA6504KpvVQjEg3D5iJeNTovKtQR 
tICvKjT4Hv9qTE3tg1viWTnih3xFM++gPffHhfKwWHjXMJTpyy5oQaviYUlQw7Elgv0cyN9ni/jJ 
lFWC0QJJYXK8BwDdyY4MOqvTz8F4DgBnkwAQ+TnPUwuCRDL0ckW84knrWAh4qz18bQzVjSBpT+AI 
7i6NiQ/1L/YnoRvRJ3EttAKUTEO3YrtkJPxcxQ==</ds:SignatureValue> 
    </ds:Signature> 
    <saml:Subject>

从春天(的值 “令牌” 下面):

<?xml version="1.0" encoding="UTF-8"?> 
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="VmzXJoyk.9mxifAuyt4.WWi3F1O" IssueInstant="2017-10-05T10:43:58.103Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> 
    <saml:Issuer>app1</saml:Issuer> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
     <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> 
      <ds:Reference URI="#VmzXJoyk.9mxifAuyt4.WWi3F1O"> 
       <ds:Transforms> 
        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
         <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> 
        </ds:Transform> 
       </ds:Transforms> 
       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
       <ds:DigestValue/> 
      </ds:Reference> 
     </ds:SignedInfo> 
     <ds:SignatureValue/> 
    </ds:Signature>

弹簧安全代码:

<%@ page import="org.springframework.security.saml.SAMLCredential"%> 
<%@ page import="org.springframework.security.core.context.SecurityContextHolder"%> 
<%@ page import="org.springframework.security.core.Authentication"%> 
<%@ page import="org.opensaml.saml2.core.Attribute"%> 
<%@ page import="org.springframework.security.saml.util.SAMLUtil"%> 
<%@ page import="org.opensaml.xml.util.XMLHelper"%> 
(...) 
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); 
    SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); 
    (...)         
    String token = XMLHelper.nodeToString(SAMLUtil.marshallMessage(credential.getAuthenticationAssertion()));

来源

2017-10-05 tom

+0

仅供参考,在参考 “凭据” 变量中的Spring Security SAML应用摘录,credential.getAuthenticationAssertion()。getSignature( )使用签名algoythem返回一个对象,但Signature对象的所有其他成员都是null(keyInfo,keyLength等)。并且xmlSignature不可用,也许我正在阅读的openSAML API与Spring Security中的版本不同。 – tom

回答

0

加入这并拿回我的签名。什么说你知道用户错误?

<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"> 
    <property name="releaseDOM" value="false" /> 
</bean>

..added Spring Security使用SAML Extenion文件 “securityContext.xml”

来源

2017-10-05 13:56:29 tom

相关问题

 相关问题