org.opensaml.saml2.metadata.provider.FilterException:元数据条目的签名信任建立失败
Posted
技术标签:
【中文标题】org.opensaml.saml2.metadata.provider.FilterException:元数据条目的签名信任建立失败【英文标题】:org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry 【发布时间】:2014-12-01 17:25:53 【问题描述】:在 securityContext.xml 中配置 IDP 后尝试运行服务器时出现以下异常。
原因:
我在http://forum.spring.io/forum/spring-projects/security/saml/108450-getting-error-signature-trust-establishment-failed-for-metadata-entry 链接中看到了一种解决方法,它说,通过在包含您的 IDP 元数据的 ExtendedMetadataDelegate bean 上将属性 metadataTrustCheck 设置为 false。
但我不想更新 saml2 核心 api,相反,可以在 securityContext.xml 中设置 metadataTrustCheck。如果是这样,如何设置它。我尝试如下。但仍然出现同样的错误。
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/services/MyMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
我的 MetadataManager 定义如下:
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/services/FederationMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<constructor-arg>
<value type="java.lang.String">https://adfsserver1.com/FederationMetadata/2007-06/FederationMetadata.xml</value>
</constructor-arg>
<!-- Timeout for metadata loading in ms -->
<constructor-arg>
<value type="int">5000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/capital/FederationMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<constructor-arg>
<value type="java.lang.String">https://adfsserver2.com/FederationMetadata/2007-06/FederationMetadata.xml</value>
</constructor-arg>
<!-- Timeout for metadata loading in ms -->
<constructor-arg>
<value type="int">5000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</list>
</constructor-arg>
</bean>
请帮忙。谢谢。
【问题讨论】:
你能发布你完整的 CachingMetadataManager bean 吗? 嗨,弗拉基米尔,很高兴收到您的来信。我正在使用 spring-security-saml2-core:1.0.1.BUILD-SNAPSHOT.jar。我没有更改任何现有的核心 API 代码。 最初我使用了您的 saml2-core 源并将 ExtendedMetadataDelegate.java 文件中的 metadataTrustCheck 修改为 false 并构建了 jar 文件。它运作良好。现在我正在尝试使用不存在上述更改的 SNAPSHOT。相反,我可以使用在 Java Config 版本中,在将信任检查标志设置为 false 后,我必须手动针对 metadataProvider 对象调用初始化方法。
@SamlBeanAnnotation
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException, ResourceException
List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
for (String file: getSamlProviders())
ResourceBackedMetadataProvider metadataProvider = new ResourceBackedMetadataProvider(new Timer(),
new org.opensaml.util.resource.ClasspathResource("/" + file.trim()));
metadataProvider.setParserPool(parserPool());
ExtendedMetadataDelegate extendedMetadataDelegate =
new ExtendedMetadataDelegate(metadataProvider, new ExtendedMetadata());
extendedMetadataDelegate.setMetadataTrustCheck(false);
extendedMetadataDelegate.setMetadataRequireSignature(false);
metadataProvider.initialize();
providers.add(metadataProvider);
CachingMetadataManager cachingMetadataManager= new CachingMetadataManager(providers);
return cachingMetadataManager;
【讨论】:
【参考方案2】:只有您的一些MetadataProviders 被包裹在ExtendedMetadataDelegate 中。您必须在每个应该跳过信任检查的 MetadataProvider 上将 metadataTrustCheck 标志设置为 false,而不仅仅是在其中一些上。如下定义元数据提供程序,您的问题应该消失了:
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/services/FederationMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<constructor-arg>
<value type="java.lang.String">
https://adfsserver1.com/FederationMetadata/2007-06/FederationMetadata.xml
</value>
</constructor-arg>
<!-- Timeout for metadata loading in ms -->
<constructor-arg>
<value type="int">5000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">classpath:metadata/capital/FederationMetadata.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<constructor-arg>
<value type="java.lang.String">
https://adfsserver2.com/FederationMetadata/2007-06/FederationMetadata.xml
</value>
</constructor-arg>
<!-- Timeout for metadata loading in ms -->
<constructor-arg>
<value type="int">5000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
<property name="metadataTrustCheck" value="false"/>
</bean>
</list>
</constructor-arg>
</bean>
【讨论】:
我也有同样的问题。使用 metadataTrustCheck 将每个 ExtendedMetadataDelegate bean 标记为 false,但仍然得到相同的错误。配置文件可用here。以上是关于org.opensaml.saml2.metadata.provider.FilterException:元数据条目的签名信任建立失败的主要内容,如果未能解决你的问题,请参考以下文章