我有使用Spring Security支持基于SAML的SSO的应用程序。 从 CAS(例如 PingFederate)成功进行身份验证后,我收到以下错误: 错误 [STDERR] java.security.KeyStoreException: 未初始化的密钥库
我正在使用 spring-security-saml2 核心.jar 实现版本:1.0.5.RELEASE,创建者:1.8.0_144(甲骨文公司)相同。
这在 JAVA 8 之前有效,但在迁移到 JAVA 11 后停止工作。 经过一些调查,我知道这是因为密钥库类型 PKCS12 在 JAVA 9 及更高版本中是默认的(在 java 9 之前是 JKS)。
但是我正在使用的 spring security SAML 扩展 [spring-security-saml2-core.jar Implementation-Version: 1.0.5.RELEASE, Created-By: 1.8.0_144 (Oracle Corporation)] 只有JKSKeyManager和EmptyKeyManager实现。
我尝试实现org.springframework.security.saml.key.KeyManager接口以支持PKCS12KeyManager,这样它就可以读取pkcs12密钥库。但这行不通。
解决方法:
- Update keystore.type property from <JAVAInstallDir>confsecurityjava.security file to keystore.type=pkcs12
- Restart the application and it works as it was working before.
注意:此解决方法将影响使用相同 JAVA 的所有应用程序。因此,我正在寻找解决方案。
这就是我加载密钥管理器 bean 的方式:
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader
.getResource(properties.getStoreFile());
String storePass = properties.getStorePass();
Map<String, String> passwords = new HashMap<>();
passwords.put(properties.getDefaultKey(), properties.getPassword());
String defaultKey = properties.getDefaultKey();
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
我希望基于 SAML 的 SSO 应该可以顺利运行(迁移到 JAVA 11 后),但出现以下错误(堆栈跟踪):
2019-04-04 16:09:34,644 ERROR [STDERR] java.security.KeyStoreException: Uninitialized keystore
2019-04-04 16:09:34,646 ERROR [STDERR] at java.base/java.security.KeyStore.aliases(KeyStore.java:1267)
2019-04-04 16:09:34,647 ERROR [STDERR] at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:233)
2019-04-04 16:09:34,648 ERROR [STDERR] at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:165)
2019-04-04 16:09:34,649 ERROR [STDERR] at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:170)
2019-04-04 16:09:34,653 ERROR [STDERR] at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:175)
2019-04-04 16:09:34,655 ERROR [STDERR] at org.apache.commons.ssl.TrustMaterial.<clinit>(TrustMaterial.java:88)
2019-04-04 16:09:34,656 ERROR [STDERR] at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359)
2019-04-04 16:09:34,657 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201)
2019-04-04 16:09:34,658 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176)
2019-04-04 16:09:34,659 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.extractCertificates(InlineX509DataProvider.java:192)
2019-04-04 16:09:34,660 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.process(InlineX509DataProvider.java:126)
2019-04-04 16:09:34,661 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfoChild(BasicProviderKeyInfoCredentialResolver.java:300)
2019-04-04 16:09:34,667 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfoChildren(BasicProviderKeyInfoCredentialResolver.java:256)
2019-04-04 16:09:34,668 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfo(BasicProviderKeyInfoCredentialResolver.java:190)
2019-04-04 16:09:34,669 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.resolveFromSource(BasicProviderKeyInfoCredentialResolver.java:149)
2019-04-04 16:09:34,670 ERROR [STDERR] at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
2019-04-04 16:09:34,671 ERROR [STDERR] at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:37)
2019-04-04 16:09:34,673 ERROR [STDERR] at org.opensaml.security.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:275)
2019-04-04 16:09:34,674 ERROR [STDERR] at org.springframework.security.saml.trust.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:123)
2019-04-04 16:09:34,678 ERROR [STDERR] at org.opensaml.security.MetadataCredentialResolver.resolveFromSource(MetadataCredentialResolver.java:178)
2019-04-04 16:09:34,680 ERROR [STDERR] at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
2019-04-04 16:09:34,681 ERROR [STDERR] at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:37)
2019-04-04 16:09:34,682 ERROR [STDERR] at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:98)
2019-04-04 16:09:34,683 ERROR [STDERR] at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49)
2019-04-04 16:09:34,684 ERROR [STDERR] at org.opensaml.ws.security.provider.BaseTrustEngineRule.evaluate(BaseTrustEngineRule.java:104)
2019-04-04 16:09:34,686 ERROR [STDERR] at org.opensaml.ws.security.provider.BaseTrustEngineRule.evaluate(BaseTrustEngineRule.java:91)
2019-04-04 16:09:34,687 ERROR [STDERR] at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:128)
2019-04-04 16:09:34,691 ERROR [STDERR] at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)
2019-04-04 16:09:34,692 ERROR [STDERR] at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
2019-04-04 16:09:34,694 ERROR [STDERR] at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
2019-04-04 16:09:34,695 ERROR [STDERR] at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
2019-04-04 16:09:34,696 ERROR [STDERR] at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
2019-04-04 16:09:34,697 ERROR [STDERR] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
2019-04-04 16:09:34,698 ERROR [STDERR] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
2019-04-04 16:09:34,704 ERROR [STDERR] at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
2019-04-04 16:09:34,705 ERROR [STDERR] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
2019-04-04 16:09:34,706 ERROR [STDERR] at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
2019-04-04 16:09:34,708 ERROR [STDERR] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
2019-04-04 16:09:34,709 ERROR [STDERR] at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
2019-04-04 16:09:34,710 ERROR [STDERR] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
2019-04-04 16:09:34,717 ERROR [STDERR] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
2019-04-04 16:09:34,718 ERROR [STDERR] at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
2019-04-04 16:09:34,719 ERROR [STDERR] at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
2019-04-04 16:09:34,720 ERROR [STDERR] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
2019-04-04 16:09:34,721 ERROR [STDERR] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
2019-04-04 16:09:34,724 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
2019-04-04 16:09:34,729 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
2019-04-04 16:09:34,730 ERROR [STDERR] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
2019-04-04 16:09:34,731 ERROR [STDERR] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
2019-04-04 16:09:34,732 ERROR [STDERR] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
2019-04-04 16:09:34,734 ERROR [STDERR] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
2019-04-04 16:09:34,735 ERROR [STDERR] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
2019-04-04 16:09:34,736 ERROR [STDERR] at mks.frame.server.services.PTCErrorReportValve.invoke(PTCErrorReportValve.java:108)
2019-04-04 16:09:34,741 ERROR [STDERR] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
2019-04-04 16:09:34,742 ERROR [STDERR] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
2019-04-04 16:09:34,743 ERROR [STDERR] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
2019-04-04 16:09:34,744 ERROR [STDERR] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
2019-04-04 16:09:34,745 ERROR [STDERR] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
2019-04-04 16:09:34,747 ERROR [STDERR] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1506)
2019-04-04 16:09:34,748 ERROR [STDERR] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
2019-04-04 16:09:34,749 ERROR [STDERR] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
2019-04-04 16:09:34,762 ERROR [STDERR] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
2019-04-04 16:09:34,764 ERROR [STDERR] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
2019-04-04 16:09:34,765 ERROR [STDERR] at java.base/java.lang.Thread.run(Thread.java:834)
2019-04-04 16:09:34,777 ERROR [mksis.IntegrityServer] * * * * ERROR * * * * (0): ilm-https-jsse-nio-443-exec-2: javax.servlet.ServletException -- javax.servlet.ServletException: Filter execution threw an exception
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
有没有人遇到过这个问题并有解决方案?
我遇到了同样的问题。
将 spring-security-saml2 核心升级到 1.0.9。 他们用Not-Going-to-be-Commons-SSL取代了Not-Yet-Commons-SSL
https://github.com/spring-projects/spring-security-saml/issues/263