使用 Spring SAML 处理 SAML 响应

【问题标题】:Processing SAML response with Spring SAML使用 Spring SAML 处理 SAML 响应
【发布时间】:2014-09-20 16:30:36
【问题描述】:

我使用 Spring SAML 开发了一个服务提供者。 我已经配置了几个 IdP,每个都有不同的属性命名约定。

  1. 在成功完成 AuthN 过程后,我能否记录(在 Tomcatlogs/catalina.out 文件上)整个 SAML 响应
  2. 是否有一些原生功能可以定义某个 IdP 的 EntityID 和映射返回的 userID 的属性之间的关联?
  3. 我也在阅读 OID 格式:如何正确解码此类数据?

更新:

关于第一个问题,根据文档,我将调试日志和身份验证日志设置如下:

// Logger for SAML messages and events
@Bean
public SAMLDefaultLogger samlDefaultLogger() {
    SAMLDefaultLogger samlDefaultLogger = new SAMLDefaultLogger();
    samlDefaultLogger.setLogMessages(true);
    samlDefaultLogger.setLogErrors(true);
    return samlDefaultLogger;
}

然后,通过如下定义log4j.properties

log4j.logger.org.springframework.security.saml=DEBUG
log4j.logger.org.opensaml=DEBUG

并通过正确配置 Maven pom.xml

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter</artifactId>
        <exclusions>
            <exclusion>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-logging</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

尽管如此,完整的 SAML 响应并未出现(我期待的是 XML 消息)。输出如下:

[2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- MetadataCredentialResolver: Attempting to retrieve credentials from cache using index: [http:/test.idp.prv/services/trust,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
[2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- MetadataCredentialResolver: Retrieved credentials from cache using index: [http:/test.idp.prv/services/trust,{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
[2014-07-29 14:13:51.985] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
[2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria
[2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
[2014-07-29 14:13:51.986] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
[2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Attempting to verify signature and establish trust using KeyInfo-derived credentials
[2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Found 0 key names: []
[2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Processing KeyInfo child with qname: {http://www.w3.org/2000/09/xmldsig#}X509Data
[2014-07-29 14:13:51.987] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Provider org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
[2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Provider org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider doesn't handle objects of type {http://www.w3.org/2000/09/xmldsig#}X509Data, skipping
[2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Processing KeyInfo child {http://www.w3.org/2000/09/xmldsig#}X509Data with provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
[2014-07-29 14:13:51.988] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Attempting to extract credential from an X509Data
[2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Found 1 X509Certificates
[2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Found 0 X509CRLs
[2014-07-29 14:13:51.993] boot - 1118 DEBUG [http-bio-443-exec-38] --- InlineX509DataProvider: Single certificate was present, treating as end-entity certificate
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- BasicProviderKeyInfoCredentialResolver: A total of 1 credentials were resolved
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- EvaluableCredentialCriteriaRegistry: Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Attempting to validate signature using key from supplied credential
[2014-07-29 14:13:51.994] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Creating XMLSignature object
[2014-07-29 14:13:51.995] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
[2014-07-29 14:13:51.995] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- SignatureValidator: Signature validated with key from supplied credential
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Signature validation using candidate credential was successful
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Successfully verified signature using KeyInfo-derived credential
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Attempting to establish trust of KeyInfo-derived credential
[2014-07-29 14:13:51.999] boot - 1118 DEBUG [http-bio-443-exec-38] --- ExplicitKeyTrustEvaluator: Successfully validated untrusted credential against trusted key
[2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- BaseSignatureTrustEngine: Successfully established trust of KeyInfo-derived credential
[2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- WebSSOProfileConsumerImpl: Processing Bearer subject confirmation
[2014-07-29 14:13:52.000] boot - 1118 DEBUG [http-bio-443-exec-38] --- WebSSOProfileConsumerImpl: Verifying received AuthnContext org.opensaml.saml2.core.impl.AuthnContextImpl@3ab2fc5f against requested null
[2014-07-29 14:13:52.001] boot - 1118  INFO [http-bio-443-exec-38] --- PrismaUserDetailsServiceImpl: SAML Response      EntityID: urn:com:vdenotaris:mysp
[2014-07-29 14:13:52.001] boot - 1118  INFO [http-bio-443-exec-38] --- PrismaUserDetailsServiceImpl: SAML Response      RemoteEntityID: http:/test.idp.prv/services/trust

请注意,最后两行是我手动定义的。

【问题讨论】:

    标签: spring saml saml-2.0 spring-saml


    【解决方案1】:

    1. 您可以使用调试日志 (chapter 6.5) 或身份验证日志 (chapter 9.5),并将 logMessages 属性设置为 true。两者都能够将消息记录到 catalina.out(因为它们只是将日志发送到 slf4j)。

    2. 不,你需要对你的SAMLUserDetailsService实现这样的逻辑

    3. 您可以通过调用getAttributeByNamegetAttributesSAMLCredential 对象加载所有接收到的属性,返回的Attribute 对象包含允许您解析任何接收到的属性结构的方法。 Spring SAML 中没有包含特定的解析器。

      具有某些 OID 类型数据的属性通常被编码为xsd:stringxsd:xsd:base64Binary,您可以获取两者的原始字符串值,如第 9.4 章的示例所示。提供将编码字符串解析为相应 Java 类型(基于 OID)的其他可能性超出了 Spring SAML 的范围。

    您对某些特定类型/OID 感兴趣吗?你指的是这个profile吗?

    【讨论】:

    • 我应该解析这种响应:wiki.infn.it/_media/cn/ccr/aai/howto/attribute-map.xml
    • 该文档中的值只是字符串,您不需要对它们进行任何特殊解析。
    • 请务必阅读手册中的第 6.5 章...它包含以下内容:log4j.logger.PROTOCOL_MESSAGE=DEBUG,它将开始记录您的 SAML 消息的内容。
    • 对不起,我完全错过了这条线!
    • 没问题。顺便说一句,由于某种原因,我在您的日志中看不到 SAMLDefaultLogger 的输出,否则它将包含解密的消息。您可能仍想调查一下,这可能是一些日志记录配置问题。该行应如下所示: 2014-07-29 15:46:54.676 INFO 7688 --- [nio-8080-exec-5] ossecurity.saml.log.SAMLDefaultLogger : AuthNRequest;SUCCESS;0:0:0:0 :0:0:0:1;urn:it:miur:prisma;idp.ssocircle.com;;<?xml version="1.0" encoding="UTF- .....
    【解决方案2】:

    如何添加这个:

    log4j.logger.PROTOCOL_MESSAGE=DEBUG

    或者这个用于 Logback:

    <logger name="PROTOCOL_MESSAGE" level="DEBUG" />

    【讨论】:

      猜你喜欢
      • 2013-05-10
      • 2018-03-05
      • 2021-10-16
      • 1970-01-01
      • 2017-07-27
      • 1970-01-01
      • 2015-05-19
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode