rlb*_*778 11 spring-security spring-saml
我在获取Spring SAML集成时遇到问题,为我的IdP生成正确的元数据文件.我获得了新的SHA256 SSL证书.我已经完成了创建相应keyStore的所有步骤,并将我的Spring安全配置文件全部设置完毕.我确实有98%的方式,但生成的元数据文件中缺少一件事,我不能为我的生活弄清楚为什么它没有设置.
这是MetadataGeneratorFilter的ExtendedMetadata配置:
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="urn:myentityidhere"/>
<property name="entityBaseURL" value="https://${saml.url}"/>
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="signMetadata" value="true"/>
<property name="signingAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<property name="alias" value="ceo"/>
<property name="signingKey" value="${saml.sp.alias}"/>
<property name="encryptionKey" value="${saml.sp.alias}"/>
</bean>
</property>
</bean>
</constructor-arg>
当我运行我的应用程序并转到/ saml/metadata URI以获取Spring生成我需要发送到我的IdP的元数据文件时,SHA256算法在SignatureMethod上正确设置,但子DigestMethod标记的算法值仍然设置到SHA1,当我需要将ALSO设置为SHA256以及DigestValue作为SHA256值而不是SHA1值.
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#urn_myentityidhere">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xxxxxxx</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
有人可以指导我如何/我需要设置什么来将DigestMethod算法值设置为256?我想,因为它是SignedInfo标记的子代,它将从Extendedmetadata配置继承signedAlgorithm值,但实际上并非如此.
任何帮助将不胜感激.非常感谢.
解决方案 - 万一有人关心
因此,经过一天的挖掘,我决定自己实施.我通过添加字段digestMethodAlgorithm扩展了ExtendedMetadata类,并添加了适当的getter/setter:
/**
* Algorithm used for creation of digest method of this entity. At the moment only used for metadata signatures.
* Only valid for local entities.
*/
private String digestMethodAlgorithm;
/**
* Returns digest method algorithm value
* @return String
*/
public String getDigestMethodAlgorithm()
{
return digestMethodAlgorithm;
}
/**
* Sets the digest method algorithm to use when signing the SAML messages.
* This can be used, for example, when a strong algorithm is required (e.g. SHA 256 instead of SHA 128).
* If this property is null, then the {@link org.opensaml.xml.Configuration} default algorithm will be used instead.
*
* Value only applies to local entities.
*
* At the moment the value is only used for signatures on metadata.
*
* Typical values are:
* http://www.w3.org/2001/04/xmlenc#sha1
* http://www.w3.org/2001/04/xmlenc#sha256
* http://www.w3.org/2001/04/xmlenc#sha384
* http://www.w3.org/2001/04/xmlenc#sha512
* http://www.w3.org/2001/04/xmlenc#ripemd160
*
* @param digestMethodAlgorithm The new digest method algorithm to use
* @see org.opensaml.xml.signature.SignatureConstants
*/
public void setDigestMethodAlgorithm(String digestMethodAlgorithm)
{
this.digestMethodAlgorithm = digestMethodAlgorithm;
}
然后我从上面修改了我的spring安全配置,以包含要在我的MetadataGenerator配置中设置的新bean属性:
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="urn:myentityidhere"/>
<property name="entityBaseURL" value="https://${saml.url}"/>
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="signMetadata" value="true"/>
<property name="signingAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<property name="digestMethodAlgorithm" value="http://www.w3.org/2001/04/xmlenc#sha256"/>
<property name="alias" value="ceo"/>
<property name="signingKey" value="${saml.sp.alias}"/>
<property name="encryptionKey" value="${saml.sp.alias}"/>
</bean>
</property>
</bean>
</constructor-arg>
然后我还必须对SAMLUtil类进行两处更改.在getmetadataAsString中,在isSignMetadata()if子句中,我拉出了上面配置设置的digestMethodAlgorithm的注入值,然后进一步修改了marshallAndSignMessage方法以接受一个新的输入参数,我进一步用它来正确设置DigestMethod算法.
在SAMLUtil.getMetaDataAsString里面,第572行
...
String digestMethodAlgorithm = extendedMetadata.getDigestMethodAlgorithm();
element = SAMLUtil.marshallAndSignMessage(descriptor, credential, signingAlgorithm, digestMethodAlgorithm, keyGenerator);
...
在SAMLUtil.marshallAndSignMessage内,紧接在第437行之后,我添加/更改了以下内容:
...
BasicSecurityConfiguration secConfig = null;
if (digestMethodAlgorithm != null)
{
secConfig = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
secConfig.setSignatureReferenceDigestMethod(digestMethodAlgorithm);
}
try {
SecurityHelper.prepareSignatureParams(signature, signingCredential, secConfig, keyInfoGenerator);
} catch (org.opensaml.xml.security.SecurityException e) {
throw new MessageEncodingException("Error preparing signature for signing", e);
}
...
我通过Gradle重新编译了整个Spring SAML核心包,spring-security-saml-1.0.0.RELEASE,将新jar从build/libs目录复制到我的项目,部署了webapp,将我的浏览器指向/ saml/metadata和成功获取元数据文件,其中包含元数据文件的正确SHA256签名部分.
我将会看到我可以做些什么来使这个项目的git repo成为承诺,因为我不想失去这个能力,因为项目将来会发布.以前从未为这样的开源项目做过贡献.
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#urn_myentityidhere">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>xxxxxx</ds:DigestValue>
</ds:Reference>
Jon*_*ill 13
自@VladimírSchäfer回答以来,情况似乎发生了变化; 它对我们AD FS 2.0和SHA-256不起作用.我们必须添加一个额外的设置才能使它工作(参见下面的代码).
问题似乎出现在OpenSAML的xmltooling库中,特别是org.opensaml.xml.security.BasicSecurityConfiguration.getSignatureAlgorithmURI(Credential)方法 - 而不是仅使用证书的签名算法(在我们的例子中SHA256withRSA),它获取证书的密钥,然后查看该密钥的算法并使用已注册URI的映射以查找签名URI.如果他们只有一个JCA 签名算法到URI 的映射,而不是URI的关键算法,那一切都会好的.
解决方法是BasicSecurityConfiguration在Spring布线期间注册正确的签名算法URI ,覆盖http://www.w3.org/2000/09/xmldsig#rsa-sha1已经存在的(不合需要的)URI http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
我们还必须删除的setSignatureReferenceDigestMethod()通话,或导入元到AD FS会失败.
import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.security.saml.SAMLBootstrap;
public class CustomSamlBootstrap extends SAMLBootstrap {
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
super.postProcessBeanFactory(beanFactory);
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
}
}
Vla*_*fer 10
您可以通过在Spring SAML初始化期间进行以下调用来配置摘要方法以计算数字签名:
// Use SHA-256 signatures for RSA keys
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
例如,org.springframework.security.saml.SAMLBootstrap在调用super之后,扩展默认值并将代码添加到重写的postProcessBeanFactory方法:
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
super.postProcessBeanFactory(beanFactory);
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
}
此更改会影响生成的元数据中的签名和生成的SAML消息中的签名.
| 归档时间: |
|
| 查看次数: |
5922 次 |
| 最近记录: |