use*_*289 3 spring-security x509certificate spring-saml
我正在将spring-saml2-sample应用程序集成到我自己的应用程序中.我的服务提供商连接到Shibboleth IDP.我正在使用Spring Security SAML应用程序附带的samlKeystore.jks中提供的私有证书来测试SP.我使用以下命令在密钥库中注册了IDP签名公钥:keytool -importcert -alias idpSignKey -keypass passwordS -file key.cer -keystore samlKeystore.jks
我可以运行应用程序并使用IDP登录.我可以在日志中看到他们在saml消息中发回给我的公共证书对应于我在idp元数据中的那个并在密钥库中注册的证书.从JKSKeyManager获取idp凭证时我的应用程序中断了.
java.lang.UnsupportedOperationException:受信任的证书条目不受密码保护java.security.KeyStoreSpi.engineGetEntry(未知来源)java.security.KeyStore.getEntry(未知来源)org.opensaml.xml.security.credential.KeyStoreCredentialResolver.resolveFromSource( KeyStoreCredentialResolver.java:132)org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:30)org.opensaml. xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:26)org.springframework.security.saml.key.JKSKeyManager.resolveSingle(JKSKeyManager.java:172)org.springframework.security.saml.key.JKSKeyManager.getCredential( JKSKeyManager.java:194)org.springframework.security.saml.trust.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:102)org.o pensaml.security.MetadataCredentialResolver.resolveFromSource(MetadataCredentialResolver.java:169)
这是KeyManager在contextSecurity.xml中的外观:
<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="nalle123"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle123"/>
<entry key="idpSignKey" value="passwordS"/>
<entry key="idpEncKey" value="passwordE"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
这是idp的扩展元数据:
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="false"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="signingKey" value="idpSignKey"/>
<property name="encryptionKey" value="idpEncKey"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="false"/>
<property name="requireLogoutResponseSigned" value="false"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
IDP的证书通常不需要导入到密钥库,因为它们是从IDP的元数据中提供的.您应该只使用ExtendedMetadata和属性signingKey和/或encryptionKey如果您想要补充元数据中已有的密钥.
由于文件key.cer仅包含IDP的公钥,因此无法对其进行密码保护.你应该简单地从Map用于初始化的用户中删除它,JKSKeyManager因为它只需要包含私钥的条目的密码.初始化将如下所示:
<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="nalle123"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle123"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
| 归档时间: |
|
| 查看次数: |
4519 次 |
| 最近记录: |