堆栈内存溢出
  简体   繁体   English

SAML2-响应没有任何可以通过主题验证的有效断言

[英]SAML2 - Response doesn't have any valid assertion which would pass subject validation

 原文  2019-04-14 11:51:36       java/ spring-security/ saml-2.0/ spring-security-saml2

问题描述

I had a solution to authenticate using SAML2 that integrates correctly with the idp in the test enviroment. 我有一个使用SAML2进行身份验证的解决方案,该解决方案已与测试环境中的idp正确集成。 Then now in the production server I am getting this error when the saml response (POST redirection) is handled in our server. 然后,现在在生产服务器中,当在我们的服务器中处理saml响应(POST重定向)时,出现此错误。 I had a look to the SAML2 response and it is correct, same than the one in the test server. 我查看了SAML2响应,它是正确的,与测试服务器中的响应相同。 So it must be something in our side. 因此,这一定是我们这边的事情。 

org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:101)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:92)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:315)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

 Caused by: org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
... 37 more
Caused by: org.opensaml.xml.security.SecurityException: Error extracting certificates from X509Data
at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.extractCertificates(InlineX509DataProvider.java:195)
at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.process(InlineX509DataProvider.java:126)
at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfoChild(BasicProviderKeyInfoCredentialResolver.java:300)
at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfoChildren(BasicProviderKeyInfoCredentialResolver.java:256)
at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfo(BasicProviderKeyInfoCredentialResolver.java:190)
at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.resolveFromSource(BasicProviderKeyInfoCredentialResolver.java:149)
at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:37)
at org.opensaml.security.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:275)
at org.springframework.security.saml.trust.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:123)
at org.opensaml.security.MetadataCredentialResolver.resolveFromSource(MetadataCredentialResolver.java:178)
at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:37)
at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:98)
at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49)
at org.springframework.security.saml.websso.AbstractProfileBase.verifySignature(AbstractProfileBase.java:271)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionSignature(WebSSOProfileConsumerImpl.java:419)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:292)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
... 38 more

Caused by: java.security.cert.CertificateException: Unable to decode X.509 certificates
at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:362)
at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201)
at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176)
at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.extractCertificates(InlineX509DataProvider.java:192)
... 56 more
Caused by: java.security.KeyStoreException: failed to extract any certificates or private keys - maybe bad password?
at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:443)
at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:213)
at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:165)
at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359)
... 59 more

1 个解决方案

解决方案1
 1 已采纳  2019-04-15 07:35:54

Finally I figured it out: 终于我弄清楚了:

This problem happens because of the version of the library spring-security-saml2-core used. 由于使用的库spring-security-saml2-core的版本而发生此问题。 It seems there are some bugs or limitations, probably in opensaml or the library not-yet-commons-ssl . 似乎有些错误或限制,可能在opensaml或库not-yet-commons-ssl中

The solution is to update spring-security-saml2 to the latest version (currently 1.0.9). 解决方案是将spring-security-saml2更新到最新版本(当前为1.0.9)。 It also seems that this issue was not happening in first versions of spring-security-saml2 似乎在spring-security-saml2的第一个版本中也没有发生此问题

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring security ADFS SSO 集成 - 响应没有任何可以通过主题验证的有效断言 - Spring security ADFS SSO integration - Response doesn't have any valid assertion which would pass subject validation SAML2 SSO断言使用者 - SAML2 SSO Assertion Consumer 为什么这不是有效的saml2请求? - Why is this not a valid saml2 request? SAML断言响应 - SAML Assertion response 使用 OpenSAML 3 的 SAML 断言验证 - SAML Assertion Validation using OpenSAML 3 断言中的 SAML 签名验证 - SAML Signature validation within Assertion 在Java中生成SAML响应/声明 - Generate SAML response/assertion in java 创建SAML断言并签署响应 - Create SAML Assertion and Sign the response 如何通过有效的SAML 2.0断言登录? - How to login throught a valid SAML 2.0 assertion? 如何在saml2的Subject标签中添加x509Data标签和keyInfo标签 - How to add x509Data tag and keyInfo tag in Subject tag in saml2
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM