1. 首頁
  2. 問答
  3. Spring Security SAML擴展,SAML斷言,Mangled,簽名丟失

Spring Security SAML擴展,SAML斷言,Mangled,簽名丟失

2017-10-05 129 views
0

我正在使用以下Spring Security 1.0.2.RELEASE示例代碼在JSP(下面的最後一個代碼示例)中從Spring獲取我的SAML Assertion。我正在嘗試像在SAMPLE應用程序中那樣做。我可以看到,我的sp.xml和idp.xml可以正常使用PingIdentity,它在日誌中顯示格式良好的SAML Assertion(請參閱下面的Ping日誌斷言)。但是當我查看下面的「標記」變量時(請參閱下面的Spring代碼示例),缺少簽名值和摘要值。 ......標籤仍然存在,否則看起來像一個OK SAML2 Assertion ......但是有一些基本的值,比如簽名,即使ping實際上確實傳遞了這些值也會丟失。奇怪,這些ID匹配,並且也沒有下文包括,大量從平安到春天角色的正確顯示在SAML斷言「令牌」 vaiable ...Spring Security SAML擴展,SAML斷言,Mangled,簽名丟失

從平:

2017-10-05 12:43:58,119 tid:fv0iEyiXUF5yhlB_-cZnExX0YTc DEBUG [org.sourceid.saml20.bindings.LoggingInterceptor] Transported Response. OutMessageContext: 
OutMessageContext 
XML: <samlp:Response Version="2.0" ID="F5FQ26j6o6VT0zNdZ4r87pDw8NT" IssueInstant="2017-10-05T10:43:58.072Z" InResponseTo="a1786b4f3g394b812f9edd3ca26c80g" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">app1</saml:Issuer> 
    <samlp:Status> 
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> 
    </samlp:Status> 
    <saml:Assertion ID="VmzXJoyk.9mxifAuyt4.WWi3F1O" IssueInstant="2017-10-05T10:43:58.103Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> 
    <saml:Issuer>app1</saml:Issuer> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
     <ds:SignedInfo> 
     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
     <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> 
     <ds:Reference URI="#VmzXJoyk.9mxifAuyt4.WWi3F1O"> 
      <ds:Transforms> 
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
      </ds:Transforms> 
      <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> 
      <ds:DigestValue>ZnT3MW5R1Nm9y/Pe8Br5m1BXXbXTc0VWeIIkUGyJaOI=</ds:DigestValue> 
     </ds:Reference> 
     </ds:SignedInfo> 
     <ds:SignatureValue>bHPhuD09Q2az7TxBvJo2LavF2N5YaroZoCNZzG17iJmSVycv0Gfq3liSKb2yIPhY0I9WVr8WwM/N 
dw720okdsEuIbzuy/NYOlOCB3sFaZ6GmmU0FruUHyqjTjGOxHA6504KpvVQjEg3D5iJeNTovKtQR 
tICvKjT4Hv9qTE3tg1viWTnih3xFM++gPffHhfKwWHjXMJTpyy5oQaviYUlQw7Elgv0cyN9ni/jJ 
lFWC0QJJYXK8BwDdyY4MOqvTz8F4DgBnkwAQ+TnPUwuCRDL0ckW84knrWAh4qz18bQzVjSBpT+AI 
7i6NiQ/1L/YnoRvRJ3EttAKUTEO3YrtkJPxcxQ==</ds:SignatureValue> 
    </ds:Signature> 
    <saml:Subject>

從春天(的值 「令牌」 下面):

<?xml version="1.0" encoding="UTF-8"?> 
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="VmzXJoyk.9mxifAuyt4.WWi3F1O" IssueInstant="2017-10-05T10:43:58.103Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> 
    <saml:Issuer>app1</saml:Issuer> 
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
     <ds:SignedInfo> 
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> 
      <ds:Reference URI="#VmzXJoyk.9mxifAuyt4.WWi3F1O"> 
       <ds:Transforms> 
        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> 
        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> 
         <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> 
        </ds:Transform> 
       </ds:Transforms> 
       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
       <ds:DigestValue/> 
      </ds:Reference> 
     </ds:SignedInfo> 
     <ds:SignatureValue/> 
    </ds:Signature>

彈簧安全代碼:

<%@ page import="org.springframework.security.saml.SAMLCredential"%> 
<%@ page import="org.springframework.security.core.context.SecurityContextHolder"%> 
<%@ page import="org.springframework.security.core.Authentication"%> 
<%@ page import="org.opensaml.saml2.core.Attribute"%> 
<%@ page import="org.springframework.security.saml.util.SAMLUtil"%> 
<%@ page import="org.opensaml.xml.util.XMLHelper"%> 
(...) 
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); 
    SAMLCredential credential = (SAMLCredential) authentication.getCredentials(); 
    (...)         
    String token = XMLHelper.nodeToString(SAMLUtil.marshallMessage(credential.getAuthenticationAssertion()));

來源

2017-10-05 tom

+0

僅供參考,在參考 「憑據」 變量中的Spring Security SAML應用摘錄,credential.getAuthenticationAssertion()。getSignature( )使用簽名algoythem返回一個對象,但Signature對象的所有其他成員都是null(keyInfo,keyLength等)。並且xmlSignature不可用,也許我正在閱讀的openSAML API與Spring Security中的版本不同。 – tom

回答

0

加入這並拿回我的簽名。什麼說你知道用戶錯誤?

<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"> 
    <property name="releaseDOM" value="false" /> 
</bean>

..added Spring Security使用SAML Extenion文件 「securityContext.xml」

來源

2017-10-05 13:56:29 tom

相關問題

 相關問題