使用最新库在Java Spring Boot中设置SAML 2.0时遇到此问题。
我遵循了本指南: https://www.programcreek.com/java-api-examples/?code=choonchernlim%2Fspring-security-adfs-saml2%2Fspring-security-adfs-saml2-master
这是一些相关的代码,但如果还有其他帮助,请告诉我:
@Bean
public KeyManager keyManager()
{
return new JKSKeyManager(keyStoreResource, keystorePassword, ImmutableMap.of(keystoreKeyAlias, keystorePrivateKeyPassword), keystoreKeyAlias);
}
@Bean
public SAMLDiscovery samlIDPDiscovery()
{
return new SAMLDiscovery();
}
@Bean
public MetadataDisplayFilter metadataDisplayFilter()
{
return new MetadataDisplayFilter();
}
@Bean
public TLSProtocolConfigurer tlsProtocolConfigurer()
{
TLSProtocolConfigurer t = new TLSProtocolConfigurer();
//t.setSslHostnameVerification("allowAll");
return t;
}
// Configure TLSProtocolConfigurer
@Bean
public ProtocolSocketFactory protocolSocketFactory()
{
//return new TLSProtocolSocketFactory(keyManager(), null, "defaultAndLocalhost");
return new TLSProtocolSocketFactory(keyManager(), null, "default");
}
@Bean
public Protocol protocol()
{
return new Protocol("https", protocolSocketFactory(), 443);
}
@Bean
public MethodInvokingFactoryBean socketFactoryInitialization()
{
MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
methodInvokingFactoryBean.setTargetClass(Protocol.class);
methodInvokingFactoryBean.setTargetMethod("registerProtocol");
methodInvokingFactoryBean.setArguments(new Object[] { "https", protocol() });
return methodInvokingFactoryBean;
}
@Bean
public CachingMetadataManager metadata() throws MetadataProviderException
{
HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider(new Timer(true), httpClient(), idpUrl);
httpMetadataProvider.setParserPool(parserPool());
//ExtendedMetadata em = new ExtendedMetadata(); //Attempt to explicitly add cert alias to extended metadata
//em.setAlias(keystoreCertAlias);
//em.setSigningKey("*.product.company.com");
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider);//, em);
extendedMetadataDelegate.setMetadataTrustCheck(false);
return new CachingMetadataManager(ImmutableList.<MetadataProvider>of(extendedMetadataDelegate));
}
这是错误:
2020-05-27 17:02:27.552 ERROR 41402 --- [ main] o.s.s.s.t.MetadataCredentialResolver : PKIX path construction failed for untrusted credential: [subjectName='CN=*.product.company.com,O=Company,L=Location,ST=state,C=US']: unable to find valid certification path to requested target
2020-05-27 17:02:27.556 INFO 41402 --- [ main] o.a.c.httpclient.HttpMethodDirector : I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request: SSL peer failed hostname validation for name: null
2020-05-27 17:02:27.557 INFO 41402 --- [ main] o.a.c.httpclient.HttpMethodDirector : Retrying request
...
javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233) ~[openws-1.5.4.jar:na]
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186) ~[openws-1.5.4.jar:na]
at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97) ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) ~[commons-httpclient-3.1.jar:na]
at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250) ~[opensaml-2.6.4.jar:na]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255) [opensaml-2.6.4.jar:na]
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236) [opensaml-2.6.4.jar:na]
at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407) [opensaml-2.6.4.jar:na]
at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167) [spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]
at com.company.product.ProductApplication.main(ProductApplication.java:10) ~[classes/:na]
像这样创建 JKS 密钥库(使用附加的密钥(:
keytool -genkeypair
-v
-keystore product.jks
-storepass hidden
-alias product
-dname 'CN=localhost, OU=Company, O=Org, L=Loc, ST=State, C=US'
-keypass hidden
-keyalg RSA
-keysize 2048
-sigalg SHA256withRSA
我也包括了证书: SAML 元数据条目的签名信任建立失败 我的 IDP 提供的证书包含在我的密钥库中:
keytool -importcert
-file cert.pem
-keystore product.jks
-alias idp-server
-storepass hidden
我已经尝试了以下所有票:
SSL 对等体在 Spring SAML 中失败的主机名验证 尝试在密钥管理器中添加密码中包含的证书(我将证书密码设置为密钥库密码,因为证书没有密钥库密码(
Spring Security SAML + HTTPS 到另一个页面 在 TLSProtocolConfigurer.setSslHostnameVerification 和 defaultAndLocalhost in TLSProtocolSocketFactory 构造函数中尝试了 allowAll。
Spring 安全 SAML IdP 元数据证书和签名 信任检查已禁用: extendedMetadataDelegate.setMetadataTrustCheck(false(;
SAML 元数据条目的签名信任建立失败 已尝试在附加到委托的扩展元数据中设置证书的别名:
ExtendedMetadata em = new ExtendedMetadata();
em.setAlias(keystoreCertAlias);
em.setSigningKey("*.product.company.com"); //This is obfuscated
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(httpMetadataProvider, em);
我的倾向是我使用证书错误地设置了密钥库。我尝试将 PEM 转换为 crt 和 cer,看看它是否会有任何区别,但没有。我可以向您保证,这是 IDP 证书,而不是域证书(仅供参考,这是故意不使用 cacert,而是在密钥库中包含证书以使用 HTTPS(。
任何想法/帮助都非常感谢! 谢谢。
为了解决这个问题,我删除了tlsProtocolConfigurer豆和与之相关的所有豆子。我不完全确定为什么示例包含它,因为它在没有它的 HTTPS(和本地主机(下工作得很好。
注意: 我假设实际问题是 tlsProtocolConfigurer 没有在密钥库中找到证书,但对于我的应用程序来说,整个 bean 不是必需的,所以它成为一个有争议的问题。