如何使用Java正确准备“ HTTP重定向绑定” SAML请求?
[英]How do I correctly prepare an 'HTTP Redirect Binding' SAML Request using Java?
问题描述
There are some test resource, such as http://sometestresource.com I make a request to authorize on http://sometestresource.com/Login and I redirected to a idP provider: http://someidpprovoder.com/idp/authn/CommonLogin 
有一些测试资源,例如http://sometestresource.com我在http://sometestresource.com/Login上请求授权,然后重定向到idP提供程序: http://someidpprovoder.com/idp/authn/CommonLogin ://someidpprovoder.com/idp/authn http://someidpprovoder.com/idp/authn/CommonLogin
Sniffer detects redirect to https://someidpprovoder.com/idp/profile/SAML2/Redirect/SSO 嗅探器检测到重定向到https://someidpprovoder.com/idp/profile/SAML2/Redirect/SSO
SAMLRequest=fZJda...D&RelayState=https%3A%2F%2Fwww.sometestresource.com%2Fcms%2Fextentions%2Fsimplesaml%2Fwww%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3D100000za-sp
&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
&Signature=dAx0M...D
Ok, I wrote a simple servlet application and I want to get the same functionality - Web Browser SSO Profile . 好的,我编写了一个简单的servlet应用程序,并且希望获得相同的功能-Web Browser SSO Profile 。
My ServiceProvider servlet: 我的ServiceProvider Servlet:
@WebServlet(urlPatterns={"/ServiceProvider"},
initParams={ @WebInitParam(name="Issuer", value="some.issuer"),
@WebInitParam(name="IdpUrl", value="https://someidpprovoder.com/idp/profile/SAML2/Redirect/SSO"),
@WebInitParam(name="ConsumerUrl", value="http://localhost:8080/com.secure.isusia-1.0-SNAPSHOT/ServiceProvider")
} )
public class ServiceProvider extends HttpServlet {
private static final long serialVersionUID = 1L;
private SamlConsumerManager consumer;
public void init(ServletConfig config) throws ServletException {
try {
consumer = new SamlConsumerManager(config);
} catch (ConfigurationException e) {
throw new ServletException("Errow while configuring SAMLConsumerManager", e);
}
}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException,
IOException {
doPost(request, response);
}
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String responseMessage = request.getParameter("SAMLResponse");
if (responseMessage != null) {
// response from the identity provider
if (result == null) {
// lets logout the user
} else if (result.size() == 1) {
//
// No user attributes are returned, so just goto the default
//home page.
//
} else if (result.size() > 1) {
// We have received attributes, so lets show them in the
// attribute home page.
//
} else {
// something wrong, re-login
}
} else {
/* time to create the authentication request or logout request */
}
}
}
My SamlConsumerManager: 我的SamlConsumerManager:
public class SamlConsumerManager {
private String consumerUrl;
private String authReqRandomId;
private String relayState;
private String issuerId;
private String idpUrl;
private char[] password = "...".toCharArray();
private String alias = "...";
private String sigAlg = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
private Signature signature;
private BasicX509Credential credential;
private Element authDOM;
public SamlConsumerManager(ServletConfig servletConfig) throws ConfigurationException {
authReqRandomId = Integer.toHexString(new Double(Math.random()).intValue());
consumerUrl = servletConfig.getInitParameter("ConsumerUrl");
idpUrl = servletConfig.getInitParameter("IdpUrl");
issuerId = servletConfig.getInitParameter("Issuer");
DefaultBootstrap.bootstrap();
}
public String buildRequestMessage(HttpServletRequest request) {
RequestAbstractType requestMessage = null;
if (request.getParameter("logout") == null) {
// time to build the authentication request message
} else {
// ok, user needs to be single logged out
}
String encodedRequestMessage = encodeRequestMessage(requestMessage);
/* SAML2 Authentication Request is appended to IP's URL */
return idpUrl + "?SAMLRequest=" + encodedRequestMessage + "&SigAlg=" + sigAlg;
}
private LogoutRequest buildLogoutRequest(String user) {
LogoutRequest logoutReq = new LogoutRequestBuilder().buildObject();
logoutReq.setID(Util.createID());
DateTime issueInstant = new DateTime();
logoutReq.setIssueInstant(issueInstant);
logoutReq.setNotOnOrAfter(new DateTime(issueInstant.getMillis() + 5 * 60 * 1000));
IssuerBuilder issuerBuilder = new IssuerBuilder();
Issuer issuer = issuerBuilder.buildObject();
issuer.setValue(issuerId);
logoutReq.setIssuer(issuer);
NameID nameId = new NameIDBuilder().buildObject();
nameId.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
nameId.setValue(user);
logoutReq.setNameID(nameId);
SessionIndex sessionIndex = new SessionIndexBuilder().buildObject();
sessionIndex.setSessionIndex(UIDGenerator.generateUID());
logoutReq.getSessionIndexes().add(sessionIndex);
logoutReq.setReason("Single Logout");
return logoutReq;
}
private AuthnRequest buildAuthnRequestObject() {
/* Building Issuer object */
IssuerBuilder issuerBuilder = new IssuerBuilder();
Issuer issuer = issuerBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "samlp");
issuer.setValue(issuerId);
/* NameIDPolicy */
NameIDPolicyBuilder nameIdPolicyBuilder = new NameIDPolicyBuilder();
NameIDPolicy nameIdPolicy = nameIdPolicyBuilder.buildObject();
nameIdPolicy.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
nameIdPolicy.setSPNameQualifier("Isser");
nameIdPolicy.setAllowCreate(new Boolean(true));
/* AuthnContextClass */
AuthnContextClassRefBuilder authnContextClassRefBuilder = new AuthnContextClassRefBuilder();
AuthnContextClassRef authnContextClassRef = authnContextClassRefBuilder.buildObject(
"urn:oasis:names:tc:SAML:2.0:assertion",
"AuthnContextClassRef",
"saml");
authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
/* AuthnContex */
RequestedAuthnContextBuilder requestedAuthnContextBuilder =
new RequestedAuthnContextBuilder();
RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject();
requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef);
DateTime issueInstant = new DateTime();
/* Creation of AuthRequestObject */
AuthnRequestBuilder authRequestBuilder = new AuthnRequestBuilder();
AuthnRequest authRequest =
authRequestBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:protocol",
"AuthnRequest", "samlp");
authRequest.setForceAuthn(new Boolean(false));
authRequest.setIsPassive(new Boolean(false));
authRequest.setIssueInstant(issueInstant);
authRequest.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
authRequest.setAssertionConsumerServiceURL(consumerUrl);
authRequest.setIssuer(issuer);
authRequest.setNameIDPolicy(nameIdPolicy);
authRequest.setRequestedAuthnContext(requestedAuthnContext);
authRequest.setID(authReqRandomId);
authRequest.setVersion(SAMLVersion.VERSION_20);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream fileInputStream = new FileInputStream(new File("....jks"));
keyStore.load(fileInputStream, password);
fileInputStream.close();
KeyStore.PrivateKeyEntry privateKeyEntry = null;
privateKeyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(alias, new KeyStore.PasswordProtection(password));
PrivateKey privateKey = privateKeyEntry.getPrivateKey();
X509Certificate certificate = (X509Certificate) privateKeyEntry.getCertificate();
credential = new BasicX509Credential();
credential.setEntityCertificate(certificate);
credential.setPrivateKey(privateKey);
try {
DefaultBootstrap.bootstrap();
} catch (ConfigurationException e) {
e.printStackTrace();
}
signature = (Signature) org.opensaml.xml.Configuration.getBuilderFactory().getBuilder(org.opensaml.xml.signature.Signature.DEFAULT_ELEMENT_NAME)
.buildObject(org.opensaml.xml.signature.Signature.DEFAULT_ELEMENT_NAME);
signature.setSigningCredential(credential);
signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
authRequest.setSignature(signature);
return authRequest;
}
private String encodeRequestMessage(RequestAbstractType requestMessage)
throws MarshallingException,
IOException {
Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(requestMessage);
Element authDOM = marshaller.marshall(requestMessage);
Deflater deflater = new Deflater(Deflater.DEFLATED, true);
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
DeflaterOutputStream deflaterOutputStream =
new DeflaterOutputStream(byteArrayOutputStream,
deflater);
StringWriter rspWrt = new StringWriter();
XMLHelper.writeNode(authDOM, rspWrt);
deflaterOutputStream.write(rspWrt.toString().getBytes());
deflaterOutputStream.close();
/* Encoding the compressed message */
String encodedRequestMessage =
Base64.encodeBytes(byteArrayOutputStream.toByteArray(),
Base64.DONT_BREAK_LINES);
return URLEncoder.encode(encodedRequestMessage, "UTF-8").trim();
}
}
However, instead of the login page from my idP I get an error page. 但是,不是我的idP的登录页面,而是错误页面。
What am I doing wrong? 我究竟做错了什么? I would like to know how to properly prepare a request for authorization. 我想知道如何正确准备授权请求。 For example, I do not understand how to add a signature in the URL: 例如,我不明白如何在URL中添加签名:
&Signature=dAx0M...D
Update 更新
- I'm using SP- initiated Web SSO. 我正在使用SP发起的Web SSO。
- Remote idP based on Shibboleth (On the customer side, about it I do not know anything. Only that it was written on the basis of Shibboleth). 基于Shibboleth的远程idP(在客户端,我对此一无所知。只是它是基于Shibboleth编写的)。
1 个解决方案
解决方案1
1 已采纳 2014-07-07 17:19:36
You need to sign your signature, 您需要签名
in buildAuthnRequestObject under authRequest.setSignature(signature); 在buildAuthnRequestObject authRequest.setSignature(signature);
add 加
Configuration.getMarshallerFactory().getMarshaller(authRequest).marshall(authRequest);`
if(signature!=null) {
Signer.signObject(signature);
}
Signer being org.opensaml.xml.signature.Signer Signer为org.opensaml.xml.signature.Signer
** Update ** **更新**
Sending redirect with SAMLMessageContext and HTTPRedirectDeflateEncoder 使用SAMLMessageContext和HTTPRedirectDeflateEncoder发送重定向
public void doAuthenticationRedirect (HttpServletResponse response, final HttpSession currentSessiond) throws Exception {
/** Generate your authnrequest **/
AuthnRequest authnRequest = generateAuthnRequest();
/** Create an adapter from tomcat response servlet **/
HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter(response, true);
/** 302 status code **/
responseAdapter.setStatusCode(HttpServletResponse.SC_MOVED_TEMPORARILY);
/** Build blank context **/
SAMLMessageContext<?, AuthnRequest, ?> context = SAMLUtility.makeSamlMessageContext();
/** Set entity end point**/
context.setPeerEntityEndpoint(endpointObject);
context.setOutboundSAMLMessage(authnRequest);
/** Sign this request **/
context.setOutboundSAMLMessageSigningCredential(getSigningCredential());
context.setOutboundMessageTransport(responseAdapter);
/** Run encoder **/
try {
runEncoder(new HTTPRedirectDeflateEncoder(), context);
} catch (Throwable t) {
Log.error("Error endcoding AuthnRequest: ",t);
}
}
/**
* Encode our Context and send it
*
* @param encoder
* @param context
* @throws IOException
* @throws MessageEncodingException
*/
private void runEncoder(MessageEncoder encoder, MessageContext context) throws IOException, MessageEncodingException {
encoder.encode(context);
}
And heres makeSamlMessageContext() if you need it 如果需要,可以使用makeSamlMessageContext()
public static <TI extends SAMLObject, TO extends SAMLObject, TN extends SAMLObject>
SAMLMessageContext<TI, TO, TN> makeSamlMessageContext() {
return new BasicSAMLMessageContext<TI, TO, TN>();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
使用Java创建“ HTTP重定向绑定” SAML请求 - Create 'HTTP Redirect Binding' SAML Request using Java
如何正确解码 Java 中的 SAML 请求(HTTP 重定向)? - How can I properly decode a SAML request in Java (HTTP redirect)?
使用Spring,Tomcat和Java,如何使用HTTP标头重定向请求? - Using Spring, Tomcat, and Java, how do I redirect a request with HTTP headers?
查询字符串未保留在SAML HTTP重定向绑定中 - Query string not preserved in SAML HTTP Redirect binding
我如何使用 Java HTTP 请求的正文 stream - How do I stream the body of an HTTP request using Java
如何在Java中发送HTTP请求? - How do i send http request in java?
如何使用涉及重定向的标头在 Java 中执行 HTTP 请求 - How to perform HTTP request using headers that involves redirect in Java
使用OpenSaml3.1.1准备SAML身份验证请求 - Prepare SAML Authentication request using OpenSaml3.1.1
如何在Java上正确测量HTTP请求的时间 - How to correctly measure timing of http request on java
SAML用于HTTP绑定 - SAML for HTTP binding
相关标签