1. 首頁
  2. 問答
  3. 正確的SAML TLSProtocolSocketFactory配置

正確的SAML TLSProtocolSocketFactory配置

2016-04-18 85 views
2

我使用Spring SAML來驗證用戶。
默認情況下,SAML實施每隔一小時刷新其元數據。
通過org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh()作品,但其隨後所有的呼叫(由定時器的稱呼)的初次運行失敗:正確的SAML TLSProtocolSocketFactory配置

INFO: org.apache.commons.httpclient.HttpMethodDirector - Retrying request 
ERROR: org.springframework.security.saml.trust.MetadataCredentialResolver - PKIX path construction failed for untrusted credential: [subjectName='CONTENT_REMOVED_FOR_STACKOVERFLOW']: unable to find valid certification path to requested target 
ERROR: org.opensaml.saml2.metadata.provider.HTTPMetadataProvider - Error retrieving metadata from https://HOSTNAME/PATH?cmd=metadata 
javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null 
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) 
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194) 
    at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97) 
    at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) 
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) 
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) 
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) 
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) 
    at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) 
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:260) 
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider$RefreshMetadataTask.run(AbstractReloadingMetadataProvider.java:521) 
    at java.util.TimerThread.mainLoop(Timer.java:555) 
    at java.util.TimerThread.run(Timer.java:505) 
DEBUG: org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider - Error occurred while attempting to refresh metadata from 'https://HOSTNAME/PATH?cmd=metadata' 
org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://HOSTNAME/PATH?cmd=metadata 
    at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274) 
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:260) 
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider$RefreshMetadataTask.run(AbstractReloadingMetadataProvider.java:521) 
    at java.util.TimerThread.mainLoop(Timer.java:555) 
    at java.util.TimerThread.run(Timer.java:505) 
Caused by: javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null 
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) 
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194) 
    at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97) 
    at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) 
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) 
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) 
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) 
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) 
    at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) 
    ... 4 common frames omitted

我跟蹤下來的org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer豆。

<bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer"> 
    <property name="sslHostnameVerification" value="default"/> 
    <property name="keyManager" ref="keyManager"/> 
</bean>

afterPropertiesSet()這個bean覆蓋以前的臨時用戶(org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory)https協議(org.apache.commons.httpclient.protocol.Protocol) 與org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory

所以第一個電話使用org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory哪個工作,所有的定時器呼叫使用org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory哪個失敗。

如果我從我的彈簧配置中刪除TLSProtocolConfigurer,一切正常。問題是,我能做到這一點嗎?
這是我應該報告的錯誤嗎?

來源

2016-04-18 flavio.donze

回答

0

該例外說,它無法驗證證書中定義的主機名。因此,您的計時器在名稱與證書中的名稱不匹配的主機上執行。所以這不是一個錯誤。

來源

2016-04-18 10:29:48

+0

好的,但爲什麼'org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory'不會拋出異常?整個'refresh()'工作,'org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory'失敗。 –

+0

是你的「第一次通話」和調度程序來自同一主機(-name)的呼叫嗎?如果是這樣,那麼看起來Spring TLSProtocolSocketFactory默認啓用了主機名驗證,而OpenSAML TLSProtocolSocketFactory沒有。應該有一個屬性或類似的設置此.... –

+0

是第一個和調度程序調用來自同一個主機。在OpenSAML TLSProtocolSocketFactory中,「hostnameVerifier」被設置爲「XMLTOOLING_STRICT」。在'verifyHostname()'方法中,主機無例外地被驗證。 –

相關問題

 相關問題