我的一个客户有一个ADFS系统,我们正在尝试使用SAML 2.0和spring boot来实现SSO。
他们在加载网站时出现错误。我可以在日志中看到:
org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:96) ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.3.RELEASE.jar:5.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.3.RELEASE.jar:5.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.2.3.RELEASE.jar:5.2.3.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.2.3.RELEASE.jar:5.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:9.0.13]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.13]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) [spring-web-5.2.3.RELEASE.jar:5.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.3.RELEASE.jar:5.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:9.0.13]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.13]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) [spring-web-5.2.3.RELEASE.jar:5.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.3.RELEASE.jar:5.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:9.0.13]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.13]
at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:128) [spring-boot-2.2.4.RELEASE.jar:2.2.4.RELEASE]
at org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:66) [spring-boot-2.2.4.RELEASE.jar:2.2.4.RELEASE]
at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:103) [spring-boot-2.2.4.RELEASE.jar:2.2.4.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.3.RELEASE.jar:5.2.3.RELEASE]
at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:121) [spring-boot-2.2.4.RELEASE.jar:2.2.4.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:9.0.13]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.13]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.2.3.RELEASE.jar:5.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.3.RELEASE.jar:5.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:9.0.13]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.13]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:9.0.13]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:9.0.13]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) [catalina.jar:9.0.13]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [catalina.jar:9.0.13]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.13]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668) [catalina.jar:9.0.13]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [catalina.jar:9.0.13]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [catalina.jar:9.0.13]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) [tomcat-coyote.jar:9.0.13]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote.jar:9.0.13]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791) [tomcat-coyote.jar:9.0.13]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417) [tomcat-coyote.jar:9.0.13]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:9.0.13]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [na:1.8.0_191]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [na:1.8.0_191]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:9.0.13]
at java.lang.Thread.run(Unknown Source) [na:1.8.0_191]
Caused by: org.opensaml.common.SAMLException: Unsupported request
at org.springframework.security.saml.processor.SAMLProcessorImpl.getBinding(SAMLProcessorImpl.java:265) ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172) ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:85) ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
... 58 common frames omitted
我的Spring启动项目基于我在github https://github.com/vdenotaris/spring-boot-security-saml-sample上找到的这个项目。>
我更改了以下课程:
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements InitializingBean, DisposableBean { @Value("${saml.idp.metadata.file}") String metadataFilePath; @Value("${server.ssl.key-store}") String keystore; @Value("${server.ssl.key-store-password}") String storepass; @Value("${server.ssl.key-alias}") String keyAlias; @Value("${server.ssl.key-password}") String keyPass; // private Timer backgroundTaskTimer; private MultiThreadedHttpConnectionManager multiThreadedHttpConnectionManager; public void init() { // backgroundTaskTimer = new Timer(true); multiThreadedHttpConnectionManager = new MultiThreadedHttpConnectionManager(); } public void shutdown() { // backgroundTaskTimer.purge(); // backgroundTaskTimer.cancel(); multiThreadedHttpConnectionManager.shutdown(); } @Autowired private SAMLUserDetailsServiceImpl samlUserDetailsServiceImpl; // Initialization of the velocity engine @Bean public VelocityEngine velocityEngine() { return VelocityFactory.getEngine(); } // XML parser pool needed for OpenSAML parsing @Bean(initMethod = "initialize") public StaticBasicParserPool parserPool() { return new StaticBasicParserPool(); } @Bean(name = "parserPoolHolder") public ParserPoolHolder parserPoolHolder() { return new ParserPoolHolder(); } // Bindings, encoders and decoders used for creating and parsing messages @Bean public HttpClient httpClient() { return new HttpClient(multiThreadedHttpConnectionManager); } // SAML Authentication Provider responsible for validating of received SAML // messages @Bean public SAMLAuthenticationProvider samlAuthenticationProvider() { SAMLAuthenticationProvider samlAuthenticationProvider = new SAMLAuthenticationProvider(); samlAuthenticationProvider.setUserDetails(samlUserDetailsServiceImpl); samlAuthenticationProvider.setForcePrincipalAsString(false); return samlAuthenticationProvider; } // Provider of default SAML Context @Bean public SAMLContextProviderImpl contextProvider() { return new SAMLContextProviderImpl(); } // Initialization of OpenSAML library @Bean public static SAMLBootstrap sAMLBootstrap() { return new CustomSAMLBootstrap(); } // Logger for SAML messages and events @Bean public SAMLDefaultLogger samlLogger() { return new SAMLDefaultLogger(); } // SAML 2.0 WebSSO Assertion Consumer @Bean public WebSSOProfileConsumer webSSOprofileConsumer() { return new WebSSOProfileConsumerImpl(); } // SAML 2.0 Holder-of-Key WebSSO Assertion Consumer @Bean public WebSSOProfileConsumerHoKImpl hokWebSSOprofileConsumer() { return new WebSSOProfileConsumerHoKImpl(); } // SAML 2.0 Web SSO profile @Bean public WebSSOProfile webSSOprofile() { return new WebSSOProfileImpl(); } // SAML 2.0 Holder-of-Key Web SSO profile @Bean public WebSSOProfileConsumerHoKImpl hokWebSSOProfile() { return new WebSSOProfileConsumerHoKImpl(); } // SAML 2.0 ECP profile @Bean public WebSSOProfileECPImpl ecpprofile() { return new WebSSOProfileECPImpl(); } @Bean public SingleLogoutProfile logoutprofile() { return new SingleLogoutProfileImpl(); } // Central storage of cryptographic keys @Bean public KeyManager keyManager() { ClassPathResource classPathResource = new ClassPathResource(keystore); String storePass = storepass; Map<String, String> passwords = new HashMap<>(); passwords.put(keyAlias, keyPass); return new JKSKeyManager(classPathResource, storePass, passwords, keyAlias); } @Bean public WebSSOProfileOptions defaultWebSSOProfileOptions() { WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions(); webSSOProfileOptions.setIncludeScoping(false); return webSSOProfileOptions; } // Entry point to initialize authentication, default values taken from // properties file @Bean public SAMLEntryPoint samlEntryPoint() { SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint(); samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions()); return samlEntryPoint; } // Setup advanced info about metadata @Bean public ExtendedMetadata extendedMetadata() { ExtendedMetadata extendedMetadata = new ExtendedMetadata(); extendedMetadata.setIdpDiscoveryEnabled(true); extendedMetadata.setSigningAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"); extendedMetadata.setSignMetadata(true); extendedMetadata.setEcpEnabled(true); return extendedMetadata; } // IDP Discovery Service @Bean public SAMLDiscovery samlIDPDiscovery() { SAMLDiscovery idpDiscovery = new SAMLDiscovery(); idpDiscovery.setIdpSelectionPath("/saml/discovery"); return idpDiscovery; } // @Bean // @Qualifier("idp-ssocircle") // public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider() // throws MetadataProviderException { // String idpSSOCircleMetadataURL = "https://idp.ssocircle.com/meta-idp.xml"; // HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider( // this.backgroundTaskTimer, httpClient(), idpSSOCircleMetadataURL); // httpMetadataProvider.setParserPool(parserPool()); // ExtendedMetadataDelegate extendedMetadataDelegate = // new ExtendedMetadataDelegate(httpMetadataProvider, extendedMetadata()); // extendedMetadataDelegate.setMetadataTrustCheck(true); // extendedMetadataDelegate.setMetadataRequireSignature(false); // backgroundTaskTimer.purge(); // return extendedMetadataDelegate; // } @Bean @Qualifier("idp-ssocircle") public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider() throws MetadataProviderException { ClassPathResource classPathResource = new ClassPathResource(metadataFilePath); File samlMetadata = null; try { samlMetadata = classPathResource.getFile(); } catch (IOException e) { e.printStackTrace(); } FilesystemMetadataProvider filesystemMetadataProvider = null; try { filesystemMetadataProvider = new FilesystemMetadataProvider(samlMetadata); } catch (MetadataProviderException e) { e.printStackTrace(); } filesystemMetadataProvider.setParserPool(parserPool()); ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(filesystemMetadataProvider, extendedMetadata()); extendedMetadataDelegate.setMetadataTrustCheck(true); extendedMetadataDelegate.setMetadataRequireSignature(false); return extendedMetadataDelegate; } // IDP Metadata configuration - paths to metadata of IDPs in circle of trust // is here // Do no forget to call iniitalize method on providers @Bean @Qualifier("metadata") public CachingMetadataManager metadata() throws MetadataProviderException { List<MetadataProvider> providers = new ArrayList<MetadataProvider>(); providers.add(ssoCircleExtendedMetadataProvider()); return new CachingMetadataManager(providers); } // Filter automatically generates default SP metadata @Bean public MetadataGenerator metadataGenerator() { MetadataGenerator metadataGenerator = new MetadataGenerator(); metadataGenerator.setEntityId("test"); metadataGenerator.setExtendedMetadata(extendedMetadata()); metadataGenerator.setIncludeDiscoveryExtension(false); metadataGenerator.setKeyManager(keyManager()); return metadataGenerator; } // The filter is waiting for connections on URL suffixed with filterSuffix // and presents SP metadata there @Bean public MetadataDisplayFilter metadataDisplayFilter() { return new MetadataDisplayFilter(); } // Handler deciding where to redirect user after successful login @Bean public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() { SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler = new SavedRequestAwareAuthenticationSuccessHandler(); successRedirectHandler.setDefaultTargetUrl("/landing"); return successRedirectHandler; } // Handler deciding where to redirect user after failed login @Bean public SimpleUrlAuthenticationFailureHandler authenticationFailureHandler() { SimpleUrlAuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler(); failureHandler.setUseForward(true); failureHandler.setDefaultFailureUrl("/error"); return failureHandler; } @Bean public SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter() throws Exception { SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter = new SAMLWebSSOHoKProcessingFilter(); samlWebSSOHoKProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler()); samlWebSSOHoKProcessingFilter.setAuthenticationManager(authenticationManager()); samlWebSSOHoKProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler()); return samlWebSSOHoKProcessingFilter; } // Processing filter for WebSSO profile messages @Bean public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception { SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter(); samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager()); samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler()); samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler()); return samlWebSSOProcessingFilter; } @Bean public MetadataGeneratorFilter metadataGeneratorFilter() { return new MetadataGeneratorFilter(metadataGenerator()); } // Handler for successful logout @Bean public SimpleUrlLogoutSuccessHandler successLogoutHandler() { SimpleUrlLogoutSuccessHandler successLogoutHandler = new SimpleUrlLogoutSuccessHandler(); successLogoutHandler.setDefaultTargetUrl("/"); return successLogoutHandler; } // Logout handler terminating local session @Bean public SecurityContextLogoutHandler logoutHandler() { SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler(); logoutHandler.setInvalidateHttpSession(true); logoutHandler.setClearAuthentication(true); return logoutHandler; } // Filter processing incoming logout messages // First argument determines URL user will be redirected to after successful // global logout @Bean public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() { return new SAMLLogoutProcessingFilter(successLogoutHandler(), logoutHandler()); } // Overrides default logout processing filter with the one processing SAML // messages @Bean public SAMLLogoutFilter samlLogoutFilter() { return new SAMLLogoutFilter(successLogoutHandler(), new LogoutHandler[] { logoutHandler() }, new LogoutHandler[] { logoutHandler() }); } // Bindings private ArtifactResolutionProfile artifactResolutionProfile() { final ArtifactResolutionProfileImpl artifactResolutionProfile = new ArtifactResolutionProfileImpl(httpClient()); artifactResolutionProfile.setProcessor(new SAMLProcessorImpl(soapBinding())); return artifactResolutionProfile; } @Bean public HTTPArtifactBinding artifactBinding(ParserPool parserPool, VelocityEngine velocityEngine) { return new HTTPArtifactBinding(parserPool, velocityEngine, artifactResolutionProfile()); } @Bean public HTTPSOAP11Binding soapBinding() { return new HTTPSOAP11Binding(parserPool()); } @Bean public HTTPPostBinding httpPostBinding() { return new HTTPPostBinding(parserPool(), velocityEngine()); } @Bean public HTTPRedirectDeflateBinding httpRedirectDeflateBinding() { return new HTTPRedirectDeflateBinding(parserPool()); } @Bean public HTTPSOAP11Binding httpSOAP11Binding() { return new HTTPSOAP11Binding(parserPool()); } @Bean public HTTPPAOS11Binding httpPAOS11Binding() { return new HTTPPAOS11Binding(parserPool()); } // Processor @Bean public SAMLProcessorImpl processor() { Collection<SAMLBinding> bindings = new ArrayList<SAMLBinding>(); bindings.add(httpRedirectDeflateBinding()); bindings.add(httpPostBinding()); bindings.add(artifactBinding(parserPool(), velocityEngine())); bindings.add(httpSOAP11Binding()); bindings.add(httpPAOS11Binding()); return new SAMLProcessorImpl(bindings); } /** * Define the security filter chain in order to support SSO Auth by using SAML 2.0 * * @return Filter chain proxy * @throws Exception */ @Bean public FilterChainProxy samlFilter() throws Exception { List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>(); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"), metadataDisplayFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"), samlWebSSOHoKProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"), samlLogoutProcessingFilter())); chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"), samlIDPDiscovery())); return new FilterChainProxy(chains); } /** * Returns the authentication manager currently used by Spring. * It represents a bean definition with the aim allow wiring from * other classes performing the Inversion of Control (IoC). * * @throws Exception */ @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } /** * Defines the web based security configuration. * * @param http It allows configuring web based security for specific http requests. * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic() .authenticationEntryPoint(samlEntryPoint()); http .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class) .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class) .addFilterBefore(samlFilter(), CsrfFilter.class); http .authorizeRequests() .antMatchers("/").permitAll() .antMatchers("/saml/**").permitAll() .antMatchers("/css/**").permitAll() .antMatchers("/img/**").permitAll() .antMatchers("/js/**").permitAll() .anyRequest().authenticated(); http .logout() .disable(); // The logout procedure is already handled by SAML filters. } /** * Sets a custom authentication provider. * * @param auth SecurityBuilder used to create an AuthenticationManager. * @throws Exception */ @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(samlAuthenticationProvider()); } @Override public void afterPropertiesSet() throws Exception { init(); } @Override public void destroy() throws Exception { shutdown(); } }
如何获得不支持的请求的更多信息?
编辑,我试图在日志中输出通过使用自定义SAMLProcessorImpl收到的请求消息:
public class CustomSAMLProcessorImpl extends SAMLProcessorImpl { private static final Logger LOG = LoggerFactory.getLogger(CustomSAMLProcessorImpl.class); public CustomSAMLProcessorImpl(Collection<SAMLBinding> bindings) { super(bindings); } @Override public SAMLMessageContext retrieveMessage(SAMLMessageContext samlContext) throws SAMLException, MetadataProviderException, MessageDecodingException, SecurityException { log(samlContext); return super.retrieveMessage(samlContext); } public void log(SAMLMessageContext context) { // Log operation StringBuilder sb = new StringBuilder(); if (context.getInboundMessageTransport() != null) { HTTPInTransport transport = (HTTPInTransport) context.getInboundMessageTransport(); sb.append(transport.getPeerAddress()); } // Log local entity ID sb.append(";"); if (context.getLocalEntityId() != null) { sb.append(context.getLocalEntityId()); } // Log peer entity ID sb.append(";"); if (context.getPeerEntityId() != null) { sb.append(context.getPeerEntityId()); } // Log SAML message sb.append(";"); try { if (context.getInboundSAMLMessage() != null) { String messageStr = XMLHelper.nodeToString(SAMLUtil.marshallMessage(context.getInboundSAMLMessage())); sb.append(messageStr); } if (context.getOutboundSAMLMessage() != null) { String messageStr = XMLHelper.nodeToString(SAMLUtil.marshallMessage(context.getOutboundSAMLMessage())); sb.append(messageStr); } } catch (MessageEncodingException e1) { LOG.warn("Error marshaling message during logging", e1); } LOG.info("---------------- AUDIT TRAIL START---------------"); LOG.info(sb.toString()); LOG.info("---------------- AUDIT TRAIL END---------------"); } }
然后我将WebSecurityConfig编辑如下:
@Bean public SAMLProcessorImpl processor() { Collection<SAMLBinding> bindings = new ArrayList<SAMLBinding>(); bindings.add(httpRedirectDeflateBinding()); bindings.add(httpPostBinding()); bindings.add(artifactBinding(parserPool(), velocityEngine())); bindings.add(httpSOAP11Binding()); bindings.add(httpPAOS11Binding()); return new CustomSAMLProcessorImpl(bindings); }
在日志中,我看到了:
---------------- AUDIT TRAIL START---------------
XXX.XX.XX.XX;test;;
---------------- AUDIT TRAIL END---------------
我的一个客户有一个ADFS系统,我们正在尝试使用SAML 2.0和spring boot来实现SSO。当他们加载网站时,它会出现一个错误。我可以在日志中看到:org ....
我已决定从存储库https://github.com/vdenotaris/spring-boot-security-saml-sample从头开始重建我的项目,并且它可以正常工作。