我正在尝试在运行 Weblogic 10.2 的服务器上设置具有两个域的 SSO 测试环境。我能够成功地在 SAML 源域上的示例 servlet 上使用登录名,并通过指向 SAML 目标域上的 servlet 的链接进行连接。这是使用带有浏览器/POST 依赖方的 SAML 1.1,因为这是在 Oracle 文档中提供了两个域的示例,使用了一个虚拟的 appA 和 appB。(我没有方便的示例说明链接,但效果很好)
然而,我的目标是使用浏览器/工件场景测试 SAML 1.1。所以我使用了相同的安全领域,并为目标域设置了一个新的 AP,为源域设置了一个新的 RP(请记住,它们都在同一台机器上运行)。我使用了相同的 SSL 信息和密钥库/信任库/别名(实际上它们都使用具有别名“localhost”的相同自签名证书)。它在目标应用程序上失败并出现 403 错误。我可以看到字符串中生成的工件:
https://localhost:7012/samlacs/acs?APID=ap_00002&SAMLart=AAH9R8ftHOp8ZwdBGik0ijXWFCYQZuUL%2FwTHd8JU%2Fo3aOkNGzkqbtuBm&TARGET=http://localhost:7010/appB/admin/services.jsp
但是断言查找中有一个错误(或者在工件取消引用之前):(工件与日志不匹配,因为我再次运行它)(源域):
Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLSourceSite: lookupStoredAssertions: fetching assertion for artifact 'AAH9R8ftHOp8ZwdBGik0ijXWFCYQZoF3demE97Ls8pVqYxvva+3Mka/9'>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLSourceSite: verifyDestinationSite: auth failure for partner 'rp_00002', client cert required but not provided>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLSourceSite: lookupStoredASsertions: auth failure: missing/invalid credentials for partner 'rp_00002'>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLSourceSite: dispatchAssertionRequest: destination site auth failure, returning FORBIDDEN>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <HttpRequest@20065100 - /samlars/ars: Writing headers for HttpRequest@20065100 - /samlars/ars>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySSL> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 160>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <Response committed. request: 'HttpRequest@20065100 - /samlars/ars' response: weblogic.servlet.internal.ServletResponseImpl@ea013e[
HTTP/1.1 403 Forbidden
Date: : Wed, 07 Nov 2012 23:04:59 GMT
Content-Length: : 1216
Content-Type: : text/html; charset=UTF-8
X-Powered-By: Servlet/2.5 JSP/2.1
]>
(目标域):
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLDestinationSiteHelper: Exception while sending/receiving request/response: org.opensaml.SAMLException: SAMLSOAPBinding.send(): Error response from server: '403 Forbidden'>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLDestinationSiteHelper: Unable to dereference artifact -- returning SC_FORBIDDEN>
###<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <HttpRequest@6557952 - /samlacs/acs: Writing headers for HttpRequest@6557952 - /samlacs/acs>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <HttpRequest@6557952 - /samlacs/acs: Wrote cookie: JSESSIONID=bkLSQhphfgFQGRnZNprd2kHJ71GGyPjsF91TMsn4pKkTMgLxcxVr!-98623638; path=/; HttpOnly>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySSL> <7PSS2Q1> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 250>
####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <Response committed. request: 'HttpRequest@6557952 - /samlacs/acs' response: weblogic.servlet.internal.ServletResponseImpl@2c3cd3[
HTTP/1.1 403 Forbidden
Date: : Wed, 07 Nov 2012 23:04:58 GMT
Content-Length: : 1216
Content-Type: : text/html
Set-Cookie: JSESSIONID=bkLSQhphfgFQGRnZNprd2kHJ71GGyPjsF91TMsn4pKkTMgLxcxVr!-98623638; path=/; HttpOnly
X-Powered-By: Servlet/2.5 JSP/2.1
]>
我看不到任何其他地方可以在依赖方或断言方中附加这个丢失的客户端证书。有谁知道可能是什么问题?