我使用Spring SAML來驗證用戶。
默認情況下,SAML實施每隔一小時刷新其元數據。
通過org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh()
作品,但其隨後所有的呼叫(由定時器的稱呼)的初次運行失敗:正確的SAML TLSProtocolSocketFactory配置
INFO: org.apache.commons.httpclient.HttpMethodDirector - Retrying request
ERROR: org.springframework.security.saml.trust.MetadataCredentialResolver - PKIX path construction failed for untrusted credential: [subjectName='CONTENT_REMOVED_FOR_STACKOVERFLOW']: unable to find valid certification path to requested target
ERROR: org.opensaml.saml2.metadata.provider.HTTPMetadataProvider - Error retrieving metadata from https://HOSTNAME/PATH?cmd=metadata
javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194)
at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:260)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider$RefreshMetadataTask.run(AbstractReloadingMetadataProvider.java:521)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)
DEBUG: org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider - Error occurred while attempting to refresh metadata from 'https://HOSTNAME/PATH?cmd=metadata'
org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://HOSTNAME/PATH?cmd=metadata
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:260)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider$RefreshMetadataTask.run(AbstractReloadingMetadataProvider.java:521)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194)
at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250)
... 4 common frames omitted
我跟蹤下來的org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer
豆。
<bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer">
<property name="sslHostnameVerification" value="default"/>
<property name="keyManager" ref="keyManager"/>
</bean>
在afterPropertiesSet()
這個bean覆蓋以前的臨時用戶(org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory
)https協議(org.apache.commons.httpclient.protocol.Protocol
) 與org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory
。
所以第一個電話使用org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory
哪個工作,所有的定時器呼叫使用org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory
哪個失敗。
如果我從我的彈簧配置中刪除TLSProtocolConfigurer
,一切正常。問題是,我能做到這一點嗎?
這是我應該報告的錯誤嗎?
好的,但爲什麼'org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory'不會拋出異常?整個'refresh()'工作,'org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory'失敗。 –
是你的「第一次通話」和調度程序來自同一主機(-name)的呼叫嗎?如果是這樣,那麼看起來Spring TLSProtocolSocketFactory默認啓用了主機名驗證,而OpenSAML TLSProtocolSocketFactory沒有。應該有一個屬性或類似的設置此.... –
是第一個和調度程序調用來自同一個主機。在OpenSAML TLSProtocolSocketFactory中,「hostnameVerifier」被設置爲「XMLTOOLING_STRICT」。在'verifyHostname()'方法中,主機無例外地被驗證。 –