使用Spring SAML处理SAML响应
作者:互联网
我使用Spring SAML开发了一个服务提供者.
我已经配置了几个IdP,每个IdP都有不同的属性命名约定.
>成功的AuthN流程后,我可以在Tomcat的logs / catalina.out文件中记录整个SAML响应吗?
>是否存在一些本机功能,以便定义某个IdP的EntityID与映射返回的用户ID的属性之间的关联?
>我也在阅读有关OID格式的内容:如何正确解码此类数据?
更新:
关于第一个问题,根据文档,我设置了调试日志记录和身份验证日志记录,如下所示:
// Logger for SAML messages and events
@Bean
public SAMLDefaultLogger samlDefaultLogger() {
SAMLDefaultLogger samlDefaultLogger = new SAMLDefaultLogger();
samlDefaultLogger.setLogMessages(true);
samlDefaultLogger.setLogErrors(true);
return samlDefaultLogger;
}
然后,通过定义log4j.properties如下:
log4j.logger.org.springframework.security.saml=DEBUG
log4j.logger.org.opensaml=DEBUG
并通过正确配置Maven pom.xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
尽管如此,没有出现完整的SAML响应(我期待XML消息).输出如下:
[2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- MetadataCredentialResolver: Attempting to retrieve credentials from cache using index: [http:/test.idp.prv/services/trust,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
[2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- MetadataCredentialResolver: Retrieved credentials from cache using index: [http:/test.idp.prv/services/trust,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
[2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
[2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria
[2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
[2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
[2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Attempting to verify signature and establish trust using KeyInfo-derived credentials
[2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Found 0 key names: []
[2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data
[2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
[2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
[2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
[2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Attempting to extract credential from an X509Data
[2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Found 1 X509Certificates
[2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Found 0 X509CRLs
[2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Single certificate was present, treating as end-entity certificate
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: A total of 1 credentials were resolved
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Attempting to validate signature using key from supplied credential
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Creating XMLSignature object
[2014-07-29 14:13:51.995] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
[2014-07-29 14:13:51.995] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Signature validated with key from supplied credential
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Signature validation using candidate credential was successful
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Successfully verified signature using KeyInfo-derived credential
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Attempting to establish trust of KeyInfo-derived credential
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- ExplicitKeyTrustEvaluator: Successfully validated untrusted credential against trusted key
[2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Successfully established trust of KeyInfo-derived credential
[2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- WebSSOProfileConsumerImpl: Processing Bearer subject confirmation
[2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- WebSSOProfileConsumerImpl: Verifying received AuthnContext org.opensaml.saml2.core.impl.AuthnContextImpl@3ab2fc5f against requested null
[2014-07-29 14:13:52.001] boot - 1118 INFO [http-bio-443-exec-38] --- PrismaUserDetailsServiceImpl: SAML Response EntityID: urn:com:vdenotaris:mysp
[2014-07-29 14:13:52.001] boot - 1118 INFO [http-bio-443-exec-38] --- PrismaUserDetailsServiceImpl: SAML Response RemoteEntityID: http:/test.idp.prv/services/trust
请注意,最后两行是由我手动定义的.
解决方法:
>您可以使用调试日志记录(chapter 6.5)或身份验证日志(chapter 9.5),并将logMessages属性设置为true.两者都能够将消息记录到catalina.out(因为它们只是将日志发送到slf4j).
>不,您需要为SAMLUserDetailsService实现此类逻辑
>您可以通过调用getAttributeByName和getAttributes从SAMLCredential对象加载所有接收的属性,返回的Attribute对象包含允许您解析任何接收的属性结构的方法. Spring SAML中没有包含特定的解析器.
具有某些OID类型的数据的属性通常编码为xsd:string或xsd:xsd:base64Binary,您可以获取两者的原始字符串值,如第9.4章的示例所示.提供将编码字符串解析为相应Java类型(基于OID)的其他可能性超出了Spring SAML的范围.
是否有一些你感兴趣的特殊类型/ OID?你指的是profile吗?
标签:saml-2-0,spring,saml,spring-saml 来源: https://codeday.me/bug/20190728/1561758.html