如何解决解码传入 SAML 消息时出错的问题?
Posted
技术标签:
【中文标题】如何解决解码传入 SAML 消息时出错的问题?【英文标题】:How to resolve issue of Error decoding incoming SAML message? 【发布时间】:2015-05-18 08:25:29 【问题描述】:对于 SAML 请求,我收到错误 Error decoding incoming SAML message。
我已经配置了 ADFS 2.0、windows server 2008、SAML 2.0。 SSO 使用 SAML 2.0 运行良好
现在我的客户需要 windows server 2012,他们已经配置并恢复了旧的服务器配置。进入新服务器,但 SAML 身份验证给我以下错误。
Error in SAML : Error decoding incoming SAML message
org.springframework.security.authentication.AuthenticationServiceException: Error decoding incoming SAML message
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:91)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:108)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:279)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:98)
at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:91)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:162)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:323)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:227)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:170)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:822)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:719)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1013)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:225)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: Could not decode artifact response message.
at org.springframework.security.saml.websso.ArtifactResolutionProfileBase.resolveArtifact(ArtifactResolutionProfileBase.java:123)
at org.opensaml.saml2.binding.decoding.HTTPArtifactDecoderImpl.doDecode(HTTPArtifactDecoderImpl.java:94)
at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79)
at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:77)
... 44 more
Caused by: org.opensaml.ws.message.decoder.MessageDecodingException: Error when sending request to artifact resolution service.
at org.springframework.security.saml.websso.ArtifactResolutionProfileImpl.getArtifactResponse(ArtifactResolutionProfileImpl.java:109)
at org.springframework.security.saml.websso.ArtifactResolutionProfileBase.resolveArtifact(ArtifactResolutionProfileBase.java:98)
... 50 more
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.write(BufferedOutputStream.java:104)
at java.io.ByteArrayOutputStream.writeTo(ByteArrayOutputStream.java:109)
at org.opensaml.ws.transport.http.httpclient.OutputStreamRequestEntity.writeRequest(OutputStreamRequestEntity.java:46)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
at org.springframework.security.saml.websso.ArtifactResolutionProfileImpl.getArtifactResponse(ArtifactResolutionProfileImpl.java:96)
... 51 more
问题出在 adfs 服务器配置方面,但我没有得到解决方案。 提供有关 ADFS 2.0 配置等的任何建议对我来说都是最好的帮助。
它给了我Error when sending request to artifact resolution service. 这样的错误,但我不知道如何启动工件解析服务?
【问题讨论】:
这个问题与 Stack Overflow 无关,因为它似乎与编程无关。 @ʎǝʞuoɯɹǝqʎɔ 我认为您必须检查 Vladimír Schäfer 的解决方案。他曾尝试在编码方面给出答案。 【参考方案1】:在 SP 元数据中将默认绑定更改为 POST,并将文件保存为 my_sp.xml 在此文件夹下 服务器上的“C:\glassfish3\glassfish\domains\domain1\applications\SunflowerSET\WEB-INF\classes\resources\security”
从新的 ADFS 服务器 (ADFS101) 下载元数据并将其作为 FederationMetadata.xml 存储在此文件夹 C:\glassfish3\glassfish\domains\domain1\applications\SunflowerSET\WEB-INF\classes\resources\security 下服务器。
已从 ADFS 中删除信赖方信任规则
使用新的 my_sp.xml 元数据在 ADFS101 上配置了新的信赖方信任规则。
【讨论】:
【参考方案2】:Spring SAML 似乎无法连接到您已导入的 ADFS 的 IDP 元数据中指定的端点。您可以在元素 ArtifactResolutionService 的元数据中看到端点 URL。确保可以从 Spring SAML 实例连接到此 URL。
作为另一种选择,您可以使用不需要直接后端连接到 ADFS 的不同绑定。您可以通过从您的 SP 元数据中删除 Artifact 断言消费者服务并将新版本上传到 IDP 来指示 IDP 在向 SP 发送回消息时使用 HTTP-POST。
在使用WebSSOProfileOptions 和属性assertionConsumerIndex 向SP 发送响应时,还可以控制IDP 应使用哪个绑定,如您在manual 第9.2.1 章中所见。
【讨论】:
如果我使用 urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 绑定,那么我需要工件解析服务吗? 不,你没有。请注意,我在上面的原始答案中犯了一个错误,IDP 用来控制绑定向 SP 发送消息的正确属性是 assertionConsumerIndex。 你说的是这个配置吗?以上是关于如何解决解码传入 SAML 消息时出错的问题?的主要内容,如果未能解决你的问题,请参考以下文章
AuthenticationServiceException:验证 SAML 消息时出错 :: AuthNResponse;FAILURE;响应的状态码无效:状态消息为空