遇到使用最新库在Java Spring Boot中设置SAML 2.0的问题。
这里有一些相关的代码,但是让我知道是否有其他帮助:
@Bean
public KeyManager keyManager()
{
return new JKSKeyManager(keyStoreResource, keystorePassword, ImmutableMap.of(keystoreKeyAlias, keystorePrivateKeyPassword), keystoreKeyAlias);
}
@Bean
public SAMLDiscovery samlIDPDiscovery()
{
return new SAMLDiscovery();
}
@Bean
public MetadataDisplayFilter metadataDisplayFilter()
{
return new MetadataDisplayFilter();
}
@Bean
public TLSProtocolConfigurer tlsProtocolConfigurer()
{
TLSProtocolConfigurer t = new TLSProtocolConfigurer();
//t.setSslHostnameVerification("allowAll");
return t;
}
// Configure TLSProtocolConfigurer
@Bean
public ProtocolSocketFactory protocolSocketFactory()
{
//return new TLSProtocolSocketFactory(keyManager(), null, "defaultAndLocalhost");
return new TLSProtocolSocketFactory(keyManager(), null, "default");
}
@Bean
public Protocol protocol()
{
return new Protocol("https", protocolSocketFactory(), 443);
}
@Bean
public MethodInvokingFactoryBean socketFactoryInitialization()
{
MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
methodInvokingFactoryBean.setTargetClass(Protocol.class);
methodInvokingFactoryBean.setTargetMethod("registerProtocol");
methodInvokingFactoryBean.setArguments(new Object[] { "https", protocol() });
return methodInvokingFactoryBean;
}
@Bean
public CachingMetadataManager metadata() throws MetadataProviderException
{
HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider(new Timer(true), httpClient(), idpUrl);
httpMetadataProvider.setParserPool(parserPool());
//ExtendedMetadata em = new ExtendedMetadata(); //Attempt to explicitly add cert alias to extended metadata
//em.setAlias(keystoreCertAlias);
//em.setSigningKey("*.product.company.com");
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider);//, em);
extendedMetadataDelegate.setMetadataTrustCheck(false);
return new CachingMetadataManager(ImmutableList.<MetadataProvider>of(extendedMetadataDelegate));
}
这里是错误:
2020-05-27 17:02:27.552 ERROR 41402 --- [ main] o.s.s.s.t.MetadataCredentialResolver : PKIX path construction failed for untrusted credential: [subjectName='CN=*.product.company.com,O=Company,L=Location,ST=state,C=US']: unable to find valid certification path to requested target
2020-05-27 17:02:27.556 INFO 41402 --- [ main] o.a.c.httpclient.HttpMethodDirector : I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request: SSL peer failed hostname validation for name: null
2020-05-27 17:02:27.557 INFO 41402 --- [ main] o.a.c.httpclient.HttpMethodDirector : Retrying request
...
javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) ~[openws-1.5.4.jar:na]
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186) ~[openws-1.5.4.jar:na]
at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97) ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1.jar:na]
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) ~[opensaml-2.6.4.jar:na]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) [opensaml-2.6.4.jar:na]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) [opensaml-2.6.4.jar:na]
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) [opensaml-2.6.4.jar:na]
at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at com.company.product.ProductApplication.main(ProductApplication.java:10) ~[classes/:na]
像这样创建JKS密钥库(带有附加密钥):
keytool -genkeypair \
-v \
-keystore product.jks \
-storepass hidden \
-alias product \
-dname 'CN=localhost, OU=Company, O=Org, L=Loc, ST=State, C=US' \
-keypass hidden \
-keyalg RSA \
-keysize 2048 \
-sigalg SHA256withRSA
我也包括了证书:Signature trust establishment failed for SAML metadata entry我的IDP提供的证书包含在我的密钥库中:
keytool -importcert \
-file cert.pem \
-keystore product.jks \
-alias idp-server \
-storepass hidden
我已经尝试过以下所有票证:
SSL peer failed hostname validation in Spring SAML试图添加包含在KeyManager的密码中的证书(我将证书密码设置为密钥库密码,因为该证书没有密码)
Spring Security SAML + HTTPS to another page在TLSProtocolConfigurer.setSslHostnameVerification中尝试了allowAll,并在TLSProtocolSocketFactory构造函数中尝试了defaultAndLocalhost。
Spring Security SAML IdP Metadata Certificate and Signature信任检查已被禁用:extendedMetadataDelegate.setMetadataTrustCheck(false);
Signature trust establishment failed for SAML metadata entry尝试在附加到委托的ExtendedMetadata中设置证书的别名:
ExtendedMetadata em = new ExtendedMetadata();
em.setAlias(keystoreCertAlias);
em.setSigningKey("*.product.company.com"); //This is obfuscated
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider, em);
我的倾向是,我使用证书错误地设置了密钥库。我尝试将PEM转换为crt和cer,以查看是否有任何不同,但没有。我可以向您保证,这是IDP证书,而不是域证书(仅供参考,这不是故意使用cacerts,而是在密钥库中包含该证书以使用HTTPS)。
任何想法/帮助都非常感谢!谢谢。
为了解决这个问题,我删除了tlsProtocolConfigurer
bean和与其关联的所有bean。我不完全确定为什么该示例包含此内容,因为没有它,它可以与HTTPS(和localhost)完美配合。
注意:我以为实际的问题是tlsProtocolConfigurer不在密钥库中找到证书,但是对于我的应用程序,不需要整个bean,因此成为了一个争论点。