jks

jks

关注
发信
关注(28)粉丝(399)

java - 如何通过jks或签名元数据使用Spring SAML代码

IDP仅提供.crt文件和元数据xml文件,IDP告诉我们没有.crt文件的密码,我使用以下命令创建了jks文件:keytool -import -alias zoom -trustcacerts -file qa.crt -keystore keystory.jks 。
现在,我下载了春季的SAML演示代码,并将securiyContext.xml更改为以下内容:

-------- matadata.xml ---------------------

<md:EntityDescriptor entityID="gene.com" cacheDuration="PT1440M" ID="dfhGJ7yKW7C3nvicVEN.puf7bSh" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#dfhGJ7yKW7C3nvicVEN.puf7bSh">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>lSCVZb+3JcGXnhwYj5IQqxaM2UaBbmiTOYa/fO5NRAo=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
        {my ds:SignatureValue}
    </ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>
                {my ds:X509Certificate}
            </ds:X509Certificate>
        </ds:X509Data>
        <ds:KeyValue>
            <ds:RSAKeyValue>
                <ds:Modulus>
                    {my ds:Modulus}
                </ds:Modulus>
                <ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
        </ds:KeyValue>
    </ds:KeyInfo>
</ds:Signature>
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>
                    {my ds:X509Certificate}
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:SingleSignOnService Location="https://b2bqa.roche.com/idp/SSO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
    <md:SingleSignOnService Location="https://b2bqa.roche.com/idp/SSO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="WorkPhone" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="ChrisID" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Account" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Department" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="MobilePhone" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Sex" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="administrative">
    <md:Company>Genentech Inc.,</md:Company>
    <md:GivenName>IAM-DFS</md:GivenName>
    <md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>







<bean id="samlMetadataManager" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <constructor-arg>
        <list>
            <bean id="samlRocheIDP" class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                <constructor-arg>
                    <value type="java.io.File">classpath:qa.xml</value>
                </constructor-arg>
                <property name="parserPool" ref="samlParserPool"/>
            </bean>
        </list>
    </constructor-arg>
</bean>


-------------- securiyContext.xml --------------------
但是在SP初始化的地方总是失败,错误消息:

Signature verification failed.
Signature trust establishment failed for metadata entry https://b2b.roche.com
Error filtering metadata from E:\Workspace2\saml\spring-security-saml\target\classes\qa.xml


我的问题是如何将spring saml与签名的元数据xml文件集成在一起。我应该创建另一个jks文件吗?我已经克隆了许多Java演示,他们在springWebSecurityContext.xml中配置了元数据xml文件和jks文件。

但是我认为元数据xml已经包含证书和密钥。我认为我不再需要配置jks文件了,对吗?

您能帮我找出如何将saml集成到我的项目中吗?谢谢大家!

最佳答案

确保您具有正确的.jks文件。您将需要一个bean作为keyManager。

@Bean
public KeyManager keyManager() {
    DefaultResourceLoader loader = new DefaultResourceLoader();
    Resource storeFile = loader
        .getResource("classpath:/saml/keystore.jks");
    String storePass = "nalle123";
    Map<String, String> passwords = new HashMap<String, String>();
    String defaultKey = "apollo";
    passwords.put("apollo", "nalle123");
    return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}


您可以在地图中为此设置多个键和密码,但默认情况下需要一个。 MetadataGenerator bean也使用此bean

您可以在密钥库中导入证书,可以使用以下脚本

IDP_HOST=<hostip>
IDP_PORT=<port>
CERTIFICATE_FILE=certfile.cert
KEYSTORE_FILE=keystore.jks
KEYSTORE_PASSWORD=<password>

openssl s_client -host $IDP_HOST -port $IDP_PORT -prexit -showcerts </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $CERTIFICATE_FILE
keytool.exe -delete -alias <put alias name here> -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD
keytool.exe -import -alias <put alias name here> -file $CERTIFICATE_FILE -
keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD -noprompt

关于java - 如何通过jks或签名元数据使用Spring SAML代码,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/52378630/

10-11 10:26
Powered by LMLPHP ©2024 jks 0.032971