0

在 securityContext.xml 中配置 IDP 后尝试运行服务器时出现以下异常。

原因:org.opensaml.saml2.metadata.provider.FilterException:元数据条目的签名信任建立失败

我看到http://forum.spring.io/forum/spring-projects/security/saml/108450-getting-error-signature-trust-establishment-failed-for-metadata-entry链接中有一个解决方法,它说,通过在包含您的 IDP 元数据的 ExtendedMetadataDelegate bean 上将属性 metadataTrustCheck 设置为 false。

但我不想更新 saml2 核心 api,而是可以在 securityContext.xml 中设置 metadataTrustCheck。如果是这样,如何设置它。我尝试如下。但仍然得到同样的错误。

<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/services/MyMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>

我的 MetadataManager 定义如下:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:metadata/services/FederationMetadata.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                <!-- URL containing the metadata -->
                <constructor-arg>
                    <value type="java.lang.String">https://adfsserver1.com/FederationMetadata/2007-06/FederationMetadata.xml</value>
                </constructor-arg>
                <!-- Timeout for metadata loading in ms -->
                <constructor-arg>
                    <value type="int">5000</value>
                </constructor-arg>
                <property name="parserPool" ref="parserPool"/>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:metadata/capital/FederationMetadata.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                <!-- URL containing the metadata -->
                <constructor-arg>
                    <value type="java.lang.String">https://adfsserver2.com/FederationMetadata/2007-06/FederationMetadata.xml</value>
                </constructor-arg>
                <!-- Timeout for metadata loading in ms -->
                <constructor-arg>
                    <value type="int">5000</value>
                </constructor-arg>
                <property name="parserPool" ref="parserPool"/>
            </bean>
        </list>
    </constructor-arg>
</bean>

请帮助解决这个问题。谢谢。

4

2 回答 2

2

只有你的一些MetadataProviders被包裹在ExtendedMetadataDelegate. 您必须将metadataTrustCheck标志设置为应该跳过信任检查的false每个,而不仅仅是其中的一些。MetadataProvider如下定义元数据提供程序,您的问题应该消失了:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:metadata/services/FederationMetadata.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                        <!-- URL containing the metadata -->
                        <constructor-arg>
                            <value type="java.lang.String">
                                https://adfsserver1.com/FederationMetadata/2007-06/FederationMetadata.xml
                            </value>
                        </constructor-arg>
                        <!-- Timeout for metadata loading in ms -->
                        <constructor-arg>
                            <value type="int">5000</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <constructor-arg>
                            <value type="java.io.File">classpath:metadata/capital/FederationMetadata.xml</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <constructor-arg>
                    <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                        <!-- URL containing the metadata -->
                        <constructor-arg>
                            <value type="java.lang.String">
                                https://adfsserver2.com/FederationMetadata/2007-06/FederationMetadata.xml
                            </value>
                        </constructor-arg>
                        <!-- Timeout for metadata loading in ms -->
                        <constructor-arg>
                            <value type="int">5000</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    </bean>
                </constructor-arg>
                <property name="metadataTrustCheck" value="false"/>
            </bean>
        </list>
    </constructor-arg>
</bean>
于 2014-10-08T10:06:11.923 回答
2

在 Java Config 版本中,在将信任检查标志设置为 false 后,我必须手动针对 metadataProvider 对象调用初始化方法。

@SamlBeanAnnotation
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException, ResourceException {
    List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
    for (String file: getSamlProviders()) {
        ResourceBackedMetadataProvider metadataProvider = new ResourceBackedMetadataProvider(new Timer(),
                new org.opensaml.util.resource.ClasspathResource("/" + file.trim()));
        metadataProvider.setParserPool(parserPool());

        ExtendedMetadataDelegate extendedMetadataDelegate =
            new ExtendedMetadataDelegate(metadataProvider, new ExtendedMetadata());
        extendedMetadataDelegate.setMetadataTrustCheck(false);
        extendedMetadataDelegate.setMetadataRequireSignature(false);
        metadataProvider.initialize();
        providers.add(metadataProvider);
    }

    CachingMetadataManager cachingMetadataManager= new CachingMetadataManager(providers);
    return cachingMetadataManager;
}
于 2015-08-11T06:52:24.940 回答