即使在 IDP 使用 SAML 成功登录后,获取身份验证对象仍为空

Posted

技术标签:

【中文标题】即使在 IDP 使用 SAML 成功登录后,获取身份验证对象仍为空【英文标题】:Getting authentication object is null even after successfully login by IDP using SAML 【发布时间】:2015-05-31 17:50:53 【问题描述】:

我已经在我的应用程序中配置了 spring-saml 和 spring security。我给出了不同的 url 模式来识别请求。如果我在应用程序 URL 中附加 /rest ,那么它将创建带有基本身份验证的 spring-security 上下文。如果我在应用 URL 中附加 /saml ,那么它将填充 IDP 登录页面并在成功登录后重定向到 index.html

但是我再次被重定向到 login.html 页面而不是 index.html。在eclipse调试并在这里和那里放置一些日志之后,我得到了没有可用的身份验证对象。

我已阅读此 jira link 并将 spring-security 版本更新为 3.1.4.RELEASE 但它没有解决我的问题。

经过一番努力后,我发现 saml 安全上下文正在被 filterChainProxy doFilter 方法清除,并且将身份验证设置为空,然后重定向到需要身份验证的安全目标 URL,但该 URL 不存在。因此它重定向到登录页面。

我搜索了很多,但没有找到任何使用 saml 身份验证通过 j_spring_security 检查的方法。

我在下面附上了我的 saml-security.xml 和 spring-security.xml 文件

saml 安全

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

    <!-- Enable auto-wiring -->
    <context:annotation-config/>

    <!-- Scan for auto-wiring classes in spring saml packages -->
    <context:component-scan base-package="org.springframework.security.saml"/>

    <!-- Unsecured pages -->
    <security:http security="none" pattern="/favicon.ico"/>
    <security:http security="none" pattern="/images/**"/>
    <security:http security="none" pattern="/css/**"/>
    <security:http security="none" pattern="/logout.jsp"/>

    <!-- Filters for processing of SAML messages -->
    <bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
        <security:filter-chain-map request-matcher="ant">
            <security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
            <security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
            <security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
            <security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
            <security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
            <security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
            <security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
        </security:filter-chain-map>
    </bean>

    <!-- Handler deciding where to redirect user after successful login -->
    <bean id="successRedirectHandler"
          class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
        <property name="defaultTargetUrl" value="/index.html"/>
        <property name="alwaysUseDefaultTargetUrl" value="true"/>
    </bean>
    <!--
    Use the following for interpreting RelayState coming from unsolicited response as redirect URL:
    <bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler">
       <property name="defaultTargetUrl" value="/" />
    </bean>
    -->

    <!-- Handler for successful logout -->
    <bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
        <property name="defaultTargetUrl" value="/login.html"/>
    </bean>

    <!-- Register authentication manager with SAML provider -->
    <security:authentication-manager id="samlAuthenticationManager">
        <security:authentication-provider ref="samlAuthenticationProvider"/>
    </security:authentication-manager>

    <!-- Logger for SAML messages and events -->
    <bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/>


   <!-- Central storage of cryptographic keys -->
    <bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
        <constructor-arg value="file:///$user.home/conf/samlKeyStore.jks"/>
        <constructor-arg type="java.lang.String" value="nalle123"/>
        <constructor-arg>
            <map>
                <entry key="apollo" value="nalle123"/>
            </map>
        </constructor-arg>
        <constructor-arg type="java.lang.String" value="apollo"/>
    </bean>

    <!-- Entry point to initialize authentication, default values taken from properties file -->
    <bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
        <property name="defaultProfileOptions">
            <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
                <property name="includeScoping" value="false"/>
            </bean>
        </property>
    </bean>

    <!-- IDP Discovery Service -->
    <bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
        <!-- <property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp"/> -->
    </bean>

    <!-- Filter automatically generates default SP metadata -->
    <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
        <constructor-arg>
            <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
                <property name="entityId" value="devenv.abc.com"/>
                <property name="signMetadata" value="false"/>
            </bean>
        </constructor-arg>
    </bean>






    <!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
    <bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>

    <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
            <constructor-arg>
                <list>
                    <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
                        <constructor-arg>
                            <value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
                        </constructor-arg>
                        <constructor-arg>
                            <value type="int">500000</value>
                        </constructor-arg>
                        <property name="parserPool" ref="parserPool"/>
                    </bean>
                </list>
            </constructor-arg>
     </bean>

    <!-- SAML Authentication Provider responsible for validating of received SAML messages -->
    <bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
        <property name="userDetails" ref="samlUserDetailsService" />
    </bean>

     <!-- Custom user details service to attach app specific roles to federated identities -->
    <bean id="samlUserDetailsService" class="com.mercatus.security.MercatusSAMLUserDetailsService"/>

    <!-- Provider of default SAML Context -->
    <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>

    <!-- Processing filter for WebSSO profile messages -->
    <bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
        <property name="authenticationManager" ref="samlAuthenticationManager"/>
        <property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
    </bean>

    <!-- Processing filter for WebSSO Holder-of-Key profile -->
    <bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
        <property name="authenticationManager" ref="samlAuthenticationManager"/>
        <property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
    </bean>

    <!-- Logout handler terminating local session -->
    <bean id="logoutHandler"
          class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
        <property name="invalidateHttpSession" value="true"/>
    </bean>

    <!-- Override default logout processing filter with the one processing SAML messages -->
    <bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
        <constructor-arg ref="successLogoutHandler"/>
        <constructor-arg ref="logoutHandler"/>
        <constructor-arg ref="logoutHandler"/>
    </bean>

    <!-- Filter processing incoming logout messages -->
    <!-- First argument determines URL user will be redirected to after successful global logout -->
    <bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
        <constructor-arg index="0" ref="successLogoutHandler"/>
        <constructor-arg index="1" ref="logoutHandler"/>
    </bean>

    <!-- Class loading incoming SAML messages from httpRequest stream -->
    <bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
        <constructor-arg>
            <list>
                <ref bean="redirectBinding"/>
                <ref bean="postBinding"/>
                <ref bean="artifactBinding"/>
                <ref bean="soapBinding"/>
                <ref bean="paosBinding"/>
            </list>
        </constructor-arg>
    </bean>

    <!-- SAML 2.0 WebSSO Assertion Consumer -->
    <bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>

    <!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
    <bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>

    <!-- SAML 2.0 Web SSO profile -->
    <bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>

    <!-- SAML 2.0 Holder-of-Key Web SSO profile -->
    <bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>

    <!-- SAML 2.0 ECP profile -->
    <bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>

    <!-- SAML 2.0 Logout Profile -->
    <bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>

    <!-- Bindings, encoders and decoders used for creating and parsing messages -->
    <bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
        <constructor-arg ref="parserPool"/>
        <constructor-arg ref="velocityEngine"/>
    </bean>

    <bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
        <constructor-arg ref="parserPool"/>
    </bean>

    <bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
        <constructor-arg ref="parserPool"/>
        <constructor-arg ref="velocityEngine"/>
        <constructor-arg>
            <bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
                <constructor-arg>
                    <bean class="org.apache.commons.httpclient.HttpClient">
                        <constructor-arg>
                            <bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
                        </constructor-arg>
                    </bean>
                </constructor-arg>
                <property name="processor">
                    <bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
                        <constructor-arg ref="soapBinding"/>
                    </bean>
                </property>
            </bean>
        </constructor-arg>
    </bean>

    <bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
        <constructor-arg ref="parserPool"/>
    </bean>

    <bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
        <constructor-arg ref="parserPool"/>
    </bean>

    <!-- Initialization of OpenSAML library-->
    <bean class="org.springframework.security.saml.SAMLBootstrap"/>

    <!-- Initialization of the velocity engine -->
    <bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>

    <!-- XML parser pool needed for OpenSAML parsing -->
    <bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize">
        <property name="builderFeatures">
            <map>
                <entry key="http://apache.org/xml/features/dom/defer-node-expansion" value="false"/>
            </map>
        </property>
    </bean>

    <bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>

</beans>

下面是我的 spring-security.xml 文件

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"  
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc" 
    xmlns:util="http://www.springframework.org/schema/util"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
    xmlns:aop="http://www.springframework.org/schema/aop"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-3.0.xsd
        http://www.springframework.org/schema/mvc 
        http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd    
        http://www.springframework.org/schema/util
        http://www.springframework.org/schema/util/spring-util-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.1.xsd
        http://www.springframework.org/schema/aop 
        http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
        http://www.springframework.org/schema/security/oauth2
        http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">

    <aop:aspectj-autoproxy/> 

    <!-- Definition for logging aspect -->
    <bean id="assumptionAuditLogAspect" class="com.mercatus.audit.AssumptionAuditLogAspect"/> 
    <!-- Definition for project security aspect -->
    <bean id="projectSecurityAspect" class="com.mercatus.web.security.ProjectSecurityAspect"/>
    <!--Definition for SavedRequestAwareAuthenticationSuccessHandler  -->
    <bean id="mercatusSavedRequestHandler" class="com.mercatus.security.MercatusSavedRequestHandler"/>
    <bean id="mercatusLogoutSuccessHandler" class="com.mercatus.security.MercatusLogoutSuccessHandler"/>
    <bean id="mercatusAjaxTimeoutFilter" class="com.mercatus.security.MercatusAjaxTimeoutFilter"/>


    <security:http pattern="/oauth/token" create-session="stateless"
        authentication-manager-ref="clientAuthenticationManager">
        <security:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
        <security:anonymous enabled="false" />
        <security:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
        <security:custom-filter ref="clientCredentialsTokenEndpointFilter"
            after="BASIC_AUTH_FILTER" />
        <security:access-denied-handler ref="oauthAccessDeniedHandler" />
    </security:http>

    <!-- SAML starts -->
    <security:http pattern="/saml/**" entry-point-ref="samlEntryPoint">
        <security:intercept-url pattern="/oauth/**" access="ROLE_USER" />
        <security:intercept-url pattern="/rest/**" access="ROLE_USER" />
        <security:intercept-url pattern="/saml" access="IS_AUTHENTICATED_FULLY"/> 
        <security:anonymous enabled="false" /> 
        <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
        <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
    </security:http>

     <!-- SAML ends -->

     <security:http pattern="/rest/**"  access-decision-manager-ref="accessDecisionManager">
        <security:anonymous enabled="false" />
        <security:form-login login-page="/login.html" authentication-success-handler-ref="mercatusSavedRequestHandler"
            authentication-failure-url="/login.jsp?login_error=true"/> 
        <security:intercept-url pattern="/rest/**" access="ROLE_USER" />
        <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <security:custom-filter ref="mercatusAjaxTimeoutFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
        <security:access-denied-handler ref="oauthAccessDeniedHandler"/>
    </security:http>

    <security:http access-denied-page="/login.jsp?login_error=true">
        **<security:intercept-url pattern="/index.html" access="ROLE_USER" />**
        <security:intercept-url pattern="/saml/**" access="ROLE_USER" />
        <security:intercept-url pattern="/oauth/**" access="ROLE_USER" />    
        <security:intercept-url pattern="/customer/*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />  
        <security:form-login login-page="/login.html" authentication-success-handler-ref="mercatusSavedRequestHandler"
            authentication-failure-url="/login.jsp?login_error=true"/> 
        <security:logout delete-cookies="true" invalidate-session="true" logout-success-url="/login.html"/>
        <security:anonymous />
    </security:http>

    <security:authentication-manager id="clientAuthenticationManager">
        <security:authentication-provider user-service-ref="clientDetailsUserService" />
    </security:authentication-manager>

    <oauth2:authorization-server
        client-details-service-ref="clientDetails" token-services-ref="tokenServices"
        user-approval-handler-ref="userApprovalHandler">
        <oauth2:authorization-code />
        <oauth2:implicit />
        <oauth2:refresh-token />
        <oauth2:client-credentials />
        <oauth2:password />
    </oauth2:authorization-server>  

    <oauth2:resource-server id="resourceServerFilter"
        resource-id="mercatus" token-services-ref="tokenServices" />

    <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
                <bean class="org.springframework.security.access.vote.RoleVoter" />
                <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
            </list>
        </constructor-arg>
    </bean>

     <security:global-method-security pre-post-annotations="enabled"/>


     <security:authentication-manager alias="authenticationManager">
      <security:authentication-provider ref="mercatusAuthenticationProvider" />
    </security:authentication-manager>

    <bean id="mercatusAuthenticationProvider" class="com.mercatus.security.MercatusAuthenticationProvider" />

</beans>

谁能帮我解决这个问题。 提前致谢。

【问题讨论】:

您能否上传您正在部署的应用程序并发布您正在使用的 Tomcat 的确切版本?我会尝试重现您的问题。 @VladimírSchäfer 我已经用我的 saml-security 和 spring-security xml 文件更新了我的问题。 我可以通过这些设置使用 IDP 登录。但是,我无法访问任何保护资源,例如以 xml 粗体显示的 index.html。由于拦截网址,它会将我重定向到登录页面。 【参考方案1】:

苦苦挣扎了将近一周,终于解决了这个问题。

通过 Eclipse 进行调试时,我在 SAMLAuthenticationProvider 中找到了根本原因,有一个方法 getEntitlements 导致了问题。

   protected Collection<? extends GrantedAuthority> getEntitlements(SAMLCredential credential, Object userDetail) 
        if (userDetail instanceof UserDetails) 
            List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
            authorities.addAll(((UserDetails) userDetail).getAuthorities());
            return authorities;
         else 
            return Collections.emptyList();
        
    

这里检查userDetail对象是否是UserDetails类的instanceOf,然后返回所有权限列表,否则返回空权限列表。

返回UserDetails 对象的基于表单的身份验证很好,但如果用户通过IDP 启动的SSO 登录,则将返回UsernamePasswordAuthenticationToken 类型的对象。因此,它使用 userDetail 对象获得了空的grantedAuthourity 列表。

所以我在我的应用程序中扩展 SAMLAuthenticationProvider 并覆盖下面的方法

@Override
public Collection<? extends GrantedAuthority> getEntitlements(SAMLCredential credential, Object userDetail)
    
        logger.info("****** object is instance of UserDetails :"+ (userDetail instanceof UserDetails));

        if (userDetail instanceof UserDetails) 
        
            List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
            authorities.addAll(((UserDetails) userDetail).getAuthorities());
            return authorities;
         
        else if(userDetail instanceof UsernamePasswordAuthenticationToken) 
        
             List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
             authorities.addAll(((UsernamePasswordAuthenticationToken) userDetail).getAuthorities());
             return authorities;

         else 
            return Collections.emptyList();
        
    

然后我将我的自定义 authenticationProvider 引用与我的自定义 SAMLUserDetailsS​​ervice 类引用一起提供给 saml-security.xml 文件。

   <bean id="samlAuthenticationProvider" class="com.mercatus.security.MercatusSAMLAuthenticationProvider">
        <property name="userDetails" ref="samlUserDetailsService" />
    </bean>

    <bean id="samlUserDetailsService" class="com.mercatus.security.MercatusSAMLUserDetailsService"/>

上面的配置救了我。登录后我可以访问受保护的资源。

我花了整整一周的时间在 FilterChainProxy 和许多其他过滤器中进行调试,并且由于拦截器 URL,它被重定向到 FilterChainProxy。

我发布详细信息是因为它可能对面临类似问题的其他人有所帮助。

【讨论】:

嗨 Manoj,我面临同样的问题。该错误类似于“在 securitycontext 中找不到身份验证对象”。我正在我的微服务中实现 Spring Saml 集成。你能提供同样的指导吗?如果您可以提供有关您的自定义 SAMLUserDetailsS​​ervice 的详细信息,也会很有帮助。谢谢。

以上是关于即使在 IDP 使用 SAML 成功登录后,获取身份验证对象仍为空的主要内容,如果未能解决你的问题,请参考以下文章

Spring saml - 在SP上启动登录时如何记住请求参数,并在IdP响应后处理它们

要求使用相同的 IDP 重新进行身份验证 - Spring SAML

使用 Spring Security saml 的 IDP 会话超时

如何让两个单独的 SAML 应用程序登录到 IdP 而无需登录两次?

配置 saml-sample (SP) 以使用 Okta (IdP)

Spring SAML 凭证和平台帐户