10

我正在尝试将Spring Saml 库集成到示例 Web 应用程序中,使用 Shibboleth 作为 IDP。我能够加载登录页面,登录并显示索引页面。

问题是当我点击其他链接时,webapp 将我重定向到登录页面,然后 IDP 识别我并重定向到请求的页面(如果网络速度很快,很难看到这一点)。就像我没有登录 Spring 安全性一样。

我检查了日志,发现了这个:

org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession 返回了 SPRING_SECURITY_CONTEXT 的空对象 将创建一个新的。

这是 web.xml

<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/root-context.xml
        /WEB-INF/spring/security/securityContext.xml
    </param-value>
</context-param>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<!-- Processes application requests -->
<servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>



<!-- Custom error pages -->
<error-page>
    <error-code>400</error-code>
    <location>/errors/missing-en.html</location>
</error-page>
<error-page>
    <error-code>401</error-code>
    <location>/errors/restricted-en.html</location>
</error-page>
<error-page>
    <error-code>403</error-code>
    <location>/errors/restricted-en.html</location>
</error-page>
<error-page>
    <error-code>404</error-code>
    <location>/errors/missing-en.html</location>
</error-page>
<error-page>
    <error-code>500</error-code>
    <location>/errors/missing-en.html</location>
</error-page>
<error-page>
    <error-code>503</error-code>
    <location>/errors/missing-en.html</location>
</error-page>

和 securityContext

<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:security="http://www.springframework.org/schema/security" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.1.xsd 
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context.xsd">

<!-- Enable autowiring -->
<context:annotation-config />
<context:component-scan base-package="org.springframework.security.saml" />

<security:http pattern="/logout.jsp" security="none" />
<security:http pattern="/login.jsp" security="none" />
<security:http pattern="/index.html" security="none" />

<security:http entry-point-ref="samlEntryPoint">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter" />
    <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter" />
</security:http>

<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map path-type="ant">
        <security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint" />
        <security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter" />
        <security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter" />
        <security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter" />
        <security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter" />
    </security:filter-chain-map>
</bean>

<!-- Handler deciding where to redirect user after successful login -->
<bean id="successRedirectHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="/" />
</bean>
<!-- Use the following for interpreting RelayState coming from unsolicited response as redirect URL: <bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler"> 
    <property name="defaultTargetUrl" value="/" /> </bean> -->

<!-- Handler for successful logout -->
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
    <property name="defaultTargetUrl" value="/logout.jsp" />
</bean>

<!-- Register authentication manager with SAML provider -->
<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="samlAuthenticationProvider" />
</security:authentication-manager>

<!-- Logger for SAML messages and events -->
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger" />

<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
    <constructor-arg value="/WEB-INF/spring/security/myKeystore.jks" />
    <constructor-arg type="java.lang.String" value="betfair" />
    <constructor-arg>
        <map>
            <entry key="tomcat" value="betfair" />
        </map>
    </constructor-arg>
    <constructor-arg type="java.lang.String" value="tomcat" />
</bean>

<!-- Entry point to initialize authentication, default values taken from properties file -->
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
    <property name="defaultProfileOptions">
        <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
            <property name="includeScoping" value="false" />
        </bean>
    </property>
</bean>

<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
    <property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp" />
</bean>

<!-- Filter automatically generates default SP metadata -->
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg>
        <bean class="org.springframework.security.saml.metadata.MetadataGenerator" />
    </constructor-arg>
</bean>

<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter" />

<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<!-- Do no forget to call iniitalize method on providers -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>

            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">/WEB-INF/spring/security/shibboleth.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool" />
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">/WEB-INF/spring/security/localhost_sp.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool" />
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                        <property name="local" value="true" />
                        <property name="alias" value="localhost" />
                        <property name="securityProfile" value="metaiop" />
                        <property name="sslSecurityProfile" value="pkix" />
                        <property name="signingKey" value="tomcat" />
                        <property name="encryptionKey" value="tomcat" />
                        <property name="tlsKey" value="tomcat" />
                        <property name="requireArtifactResolveSigned" value="false" />
                        <property name="requireLogoutRequestSigned" value="false" />
                        <property name="requireLogoutResponseSigned" value="false" />
                    </bean>
                </constructor-arg>
            </bean>
        </list>
    </constructor-arg>      
    <!-- OPTIONAL used when one of the metadata files contains information about this service provider -->
    <property name="hostedSPName" value="localhost"/>
    <!-- OPTIONAL property: can tell the system which IDP should be used for authenticating user by default. -->
    <!-- <property name="defaultIDP" value="http://localhost:8080/opensso"/> -->
</bean>

<!-- SAML Authentication Provider responsible for validating of received SAML messages -->
<bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
    <!-- OPTIONAL property: can be used to store/load user data after login -->
    <!-- <property name="userDetails" ref="bean" /> -->
</bean>

<!-- Provider of default SAML Context -->
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl" />

<!-- Processing filter for WebSSO profile messages -->
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationSuccessHandler" ref="successRedirectHandler" />
</bean>

<!-- Processing filter for WebSSO Holder-of-Key profile -->
<bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationSuccessHandler" ref="successRedirectHandler" />
</bean>

<!-- Logout handler terminating local session -->
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
    <property name="invalidateHttpSession" value="false" />
</bean>

<!-- Override default logout processing filter with the one processing SAML messages -->
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
    <constructor-arg ref="successLogoutHandler" />
    <constructor-arg ref="logoutHandler" />
    <constructor-arg ref="logoutHandler" />
</bean>

<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
    <constructor-arg ref="successLogoutHandler" />
    <constructor-arg ref="logoutHandler" />
</bean>

<!-- Class loading incoming SAML messages from httpRequest stream -->
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
    <constructor-arg>
        <list>
            <ref bean="redirectBinding" />
            <ref bean="postBinding" />
            <ref bean="artifactBinding" />
            <ref bean="soapBinding" />
            <ref bean="paosBinding" />
        </list>
    </constructor-arg>
</bean>

<!-- SAML 2.0 WebSSO Assertion Consumer -->
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl" />

<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl" />

<!-- SAML 2.0 Web SSO profile -->
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl" />

<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl" />

<!-- SAML 2.0 ECP profile -->
<bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl" />

<!-- SAML 2.0 Logout Profile -->
<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl" />

<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
    <constructor-arg ref="parserPool" />
    <constructor-arg ref="velocityEngine" />
</bean>

<bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
    <constructor-arg ref="parserPool" />
</bean>

<bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
    <constructor-arg ref="parserPool" />
    <constructor-arg ref="velocityEngine" />
    <constructor-arg>
        <bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
            <constructor-arg>
                <bean class="org.apache.commons.httpclient.HttpClient" />
            </constructor-arg>
            <property name="processor">
                <bean id="soapProcessor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
                    <constructor-arg ref="soapBinding" />
                </bean>
            </property>
        </bean>
    </constructor-arg>
</bean>

<bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
    <constructor-arg ref="parserPool" />
</bean>

<bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
    <constructor-arg ref="parserPool" />
</bean>

<!-- Initialization of OpenSAML library -->
<bean class="org.springframework.security.saml.SAMLBootstrap" />

<!-- Initialization of the velocity engine -->
<bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine" />

<!-- XML parser pool needed for OpenSAML parsing -->
<bean id="parserPool" class="org.opensaml.xml.parse.BasicParserPool" scope="singleton" />

任何的想法?

谢谢伊曼纽尔

4

2 回答 2

2

I've experienced the same problem. After debugging realized that SecurityContext is cleared before it's persisted. After googling I found this: https://jira.springsource.org/browse/SEC-2027 Moving to spring security version 3.1.2 solved it for me.

I hope it will help someone.

于 2012-10-14T13:02:31.100 回答
-5

如果您对使用 Spring 并不特别,或者您可以先尝试一些可行的方法,然后再转到 Spring,这里有一个很好的教程。我试过这个,它有效:

http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity.html

博客作者 Filip 反应迅速,如有必要,您可以从他那里得到澄清。

于 2012-10-02T16:51:44.747 回答