实际上我们正在开发一个应用程序,在Spring boot 1.5和使用oauth2实现的spring security进行身份验证和授权,现在我们要求在身份验证部分拆分身份验证并将身份验证部分移到SAML集成的第三方,
流程:login-> SAML身份验证 - >身份验证用户 - >我们处理的授权部分(角色部分) - >生成我们的令牌 - >仅使用此令牌的用户访问资源。
如何使用userid仅在我的Spring安全性中授权用户并生成自定义令牌(自定义任何弹簧安全过滤器),
如何在我的Spring安全过滤器中填充Authentication对象(如果使用了AuthenticationProvider),
在SAML身份验证服务器中重定向到IDP的最佳方法。
实现注销功能的最佳方式。
我怎样才能实现这些要求,任何人都可以建议,因为我是新手。
我当前的配置每件事都是Java配置的,
**spring security,Resource server,Authorization server**
我正在研究qazxsw poi文档中提供的示例
当启动弹簧启动时应用程序发生以下错误,
2017-12-29 10:15:12.192 ERROR 25076 --- [Metadata-reload] o.o.s.m.p.HTTPMetadataProvider:从https://github.com/vdenotaris/spring-boot-security-saml-sample检索元数据时出错
java.net.ConnectException:拒绝连接:java.net.DualStackPlainSocketImpl.connect0(本机方法)〜[?:1.8.0_66] java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79)〜[?:1.8在java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)〜[?:1.8.0_66]的java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)〜[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)〜[?:1.8.0_66]在java.net上的java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)〜[?:1.8.0_66]。 SocksSocketImpl.connect(SocksSocketImpl.java:392)〜[?:1.8.0_66]在java.net.Socket.connect(Socket.java:589)〜[?:1.8.0_66] java.net.Socket.connect( java.net.Socket。(Socket.java:434)〜[?:1.8.0_66]的java.net.Socket。(Socket.java:286) 〜[?:1.8.0_66] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.j ava:80)〜[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:122)~ [commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)〜[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager $ HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361 )〜[commons-httpclient-3.1.jar:?] org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)〜[commons-httpclient-3.1.jar:?] org.apache.commons .httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)〜[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)〜[commons-httpclient- 3.1.jar:?] org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)〜[commons-httpclient-3.1.jar:?] at org.opensaml.saml2.metadata.provider.HTT PMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250)[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255)[opensaml-2.6.1.jar :?org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236)[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize( AbstractMetadataProvider.java:407)[opensaml-2.6.1.jar:?] at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167)[spring-security-saml2-core-1.0.2 .RELEASE.jar:1.0.2.RELEASE]在org.springframework.security.saml.metadata.MetadataManager.initializeProvider(MetadataManager.java:412)[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0 .2.RELEASE]在org.springframework.security.saml.metadata.MetadataManager.refreshMetadata(MetadataManager.java:238)[spring-security-saml2- core-1.0.2.RELEASE.jar:1.0.2.RELEASE]在org.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata(CachingMetadataManager.java:86)[spring-security-saml2-core-1.0.2。 RELEASE.jar:1.0.2.RELEASE]在org.springframework.security.saml.metadata.MetadataManager $ RefreshTask.run(MetadataManager.java:1040)[spring-security-saml2-core-1.0.2.RELEASE.jar: java.util.TimerThread.mainLoop上的java.util.TimerThread.mainLoop(?:1.8.0_66)的1.0.2.RELEASE](Timer.java:505)[?:1.8.0_66]
2017-12-29 10:15:12.193 DEBUG 25076 --- [Metadata-reload] .s.m.p.AbstractReloadingMetadataProvider:尝试从'http://idp.ssocircle.com/idp-meta.xml'刷新元数据时出错
org.opensaml.saml2.metadata.provider.MetadataProviderException:从org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274)〜[opensaml-2.6.1.jar:?]中的http://idp.ssocircle.com/idp-meta.xml检索元数据时出错at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255)[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java) :236)[opensaml-2.6.1.jar:?] org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407)[opensaml-2.6.1.jar:?] at org.springframework org.springframework.security.saml.metadata上的.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167)[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] .MetadataManager.initializeProvider(MetadataManager.java:412)[spring-security-saml2-core-1.0.2.RELEA SE.jar:1.0.2.RELEASE]在org.springframework.security.saml.metadata.MetadataManager.refreshMetadata(MetadataManager.java:238)[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0。 2.RELEASE] org.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata(CachingMetadataManager.java:86)[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org java.util.TimerThread中的.springframework.security.saml.metadata.MetadataManager $ RefreshTask.run(MetadataManager.java:1040)[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] .mainLoop(Timer.java:555)[?:1.8.0_66] at java.util.TimerThread.run(Timer.java:505)[?:1.8.0_66]引起:java.net.ConnectException:连接被拒绝:在Java.net.AbstractPlainSocketImpl上java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79)〜[?:1.8.0_66]的java.net.DualStackPlainSocketImpl.connect0(本地方法)〜[?:1.8.0_66]连接java.net.Ab中的.doConnect(AbstractPlainSocketImpl.java:350)~ [?:1.8.0_66] stoglePlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)〜[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)~ [?:1.8.0_66] at java.net.PlainSocketImpl.connect( PlainSocketImpl.java:172)~ [?:1.8.0_66] java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)〜[?:1.8.0_66] java.net.Socket.connect(Socket.java: 589)〜[?:1.8.0_66] java.net.Socket.connect(Socket.java:538)〜[?:1.8.0_66] java.net.Socket。(Socket.java:434)〜[? :1.8.0_66] at java.net.Socket。(Socket.java:286)〜[?:1.8.0_66] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:80)〜[ commons-httpclient-3.1.jar:?]在org.apache.com上的org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:122)〜[commons-httpclient-3.1.jar:?]。 httpclient.HttpConnection.open(HttpConnection.java:707)〜[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient .MultiThreadedHttpConnectionManager $ HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)〜[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)~ [commons-httpclient- 3.1.jar:?] org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)〜[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpClient.executeMethod( HttpClient.java:397)〜[commons-httpclient-3.1.jar:?]在org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)〜[commons-httpclient-3.1.jar:?] at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250)~ [opensaml-2.6.1.jar:?] ... 10更多
2017-12-29 10:15:12.194 INFO 25076 --- [Metadata-reload] .smpAbstractReloadingMetadataProvider:元数据提供者'http://idp.ssocircle.com/idp-meta.xml'的下一个刷新周期将发生在'2017-12-29T04:50:12.194Z'(' 2017-12-29T10:20:12.194 + 05:30本地时间2017-12-29 10:15:12.194 ERROR 25076 --- [元数据重新加载] oosmpAbstractMetadataProvider:元数据提供程序无法正确初始化,失败快速=真,停了下来
org.opensaml.saml2.metadata.provider.MetadataProviderException:org.opensaml.saml2.metadata.provider.MetadataProviderException:从org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:267)中的http://idp.ssocircle.com/idp-meta.xml检索元数据时出错。 〜[opensaml-2.6.1.jar:?] org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236)〜[opensaml-2.6.1.jar:?] at org.opensaml。 saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407)[opensaml-2.6.1.jar:?] at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167)[chring -security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]在org.springframework.security.saml.metadata.MetadataManager.initializeProvider(MetadataManager.java:412)[spring-security-saml2-core org.springframework.security.saml.metad上的-1.0.2.RELEASE.jar:1.0.2.RELEASE] ata.MetadataManager.refreshMetadata(MetadataManager.java:238)[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] atg.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata(在org.springframework.security.saml.metadata.MetadataManager $ RefreshTask.run(MetadataManager.java:CachingMetadataManager.java:86)[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] 1040)java的java.util.TimerThread.mainLoop(Timer.java:555)[?:1.8.0_66]中的[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]。 util.TimerThread.run(Timer.java:505)[?:1.8.0_66]引起:org.opensaml.saml2.metadata.provider.MetadataProviderException:从org.opensaml.saml2.metadata.provider的http://idp.ssocircle.com/idp-meta.xml检索元数据时出错。 HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274)〜[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255)~ [opensaml-2.6.1 .jar:?] ... 9更多原因d by:java.net.ConnectException:连接被拒绝:连接java.net.DualStackPlainSocketImpl.connect0(本机方法)〜[?:1.8.0_66] java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79)〜[ ?:1.8.0_66] java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)〜[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)〜[?:1.8。 0_66] java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)〜[?:1.8.0_66] java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)〜[?:1.8.0_66] java .net.SocksSocketImpl.connect(SocksSocketImpl.java:392)〜[?:1.8.0_66] java.net.Socket.connect(Socket.java:589)〜[?:1.8.0_66] java.net.Socket .connect(Socket.java:538)〜[?:1.8.0_66]在java.net.Socket。(Socket.java:434)〜[?:1.8.0_66] java.net.Socket。(Socket.java) :286)〜[?:1.8.0_66] org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFac) tory.java:80)~ [commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:122)~ [commons-httpclient-3.1.jar:? ] org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)〜[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager $ HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java) :1361)〜[commons-httpclient-3.1.jar:?] org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)〜[commons-httpclient-3.1.jar:?] org.apache .commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)〜[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)〜[commons- httpclient-3.1.jar:?] atg.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)〜[commons-httpclient-3.1.jar:?] at org.opensaml.saml2.metadata.provid er.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250)~ [opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255)~ [opensaml-2.6 .1.jar:?] ...还有9个
2017-12-29 10:15:12.195 ERROR 25076 --- [Metadata-reload] o.s.s.s.m.MetadataManager:元数据提供程序org.opensaml.saml2.metadata.provider.HTTPMetadataProvider@6ae8b7的初始化失败,提供程序将被忽略
org.opensaml.saml2.metadata.provider.MetadataProviderException:org.opensaml.saml2.metadata.provider.MetadataProviderException:从org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:267)中的http://idp.ssocircle.com/idp-meta.xml检索元数据时出错。 〜[opensaml-2.6.1.jar:?] org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236)〜[opensaml-2.6.1.jar:?] at org.opensaml。 org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167)中的saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407)〜[opensaml-2.6.1.jar:?] [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]在org.springframework.security.saml.metadata.MetadataManager.initializeProvider(MetadataManager.java:412)〜[spring-security- org.springframework.security.saml.me上的saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] org.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata中的tadata.MetadataManager.refreshMetadata(MetadataManager.java:238)[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]在org.springframework.security.saml.metadata.MetadataManager $ RefreshTask.run(MetadataManager.java:CachingMetadataManager.java:86)[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] 1040)java的java.util.TimerThread.mainLoop(Timer.java:555)[?:1.8.0_66]中的[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]。 util.TimerThread.run(Timer.java:505)[?:1.8.0_66]引起:org.opensaml.saml2.metadata.provider.MetadataProviderException:从org.opensaml.saml2.metadata.provider的http://idp.ssocircle.com/idp-meta.xml检索元数据时出错。 HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274)〜[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255)~ [opensaml-2.6.1 .jar:?] ... 9更多Ca.使用者:java.net.ConnectException:连接被拒绝:连接java.net.DualStackPlainSocketImpl.connect0(本机方法)〜[?:1.8.0_66] java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79)〜[ ?:1.8.0_66] java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)〜[?:1.8.0_66] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)〜[?:1.8。 0_66] java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)〜[?:1.8.0_66] java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)〜[?:1.8.0_66] java .net.SocksSocketImpl.connect(SocksSocketImpl.java:392)〜[?:1.8.0_66] java.net.Socket.connect(Socket.java:589)〜[?:1.8.0_66] java.net.Socket .connect(Socket.java:538)〜[?:1.8.0_66]在java.net.Socket。(Socket.java:434)〜[?:1.8.0_66] java.net.Socket。(Socket.java) :286)〜[?:1.8.0_66] org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocket) Factory.java:80)~ [commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:122)~ [commons-httpclient-3.1.jar:? ] org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)〜[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager $ HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java) :1361)〜[commons-httpclient-3.1.jar:?] org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)〜[commons-httpclient-3.1.jar:?] org.apache .commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)〜[commons-httpclient-3.1.jar:?] at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)〜[commons- httpclient-3.1.jar:?] atg.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)〜[commons-httpclient-3.1.jar:?] at org.opensaml.saml2.metadata.pro vider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250)〜[opensaml-2.6.1.jar:?] at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255)~ [opensaml-2.6 .1.jar:?] ...还有9个
2017-12-29 10:15:12.196 DEBUG 25076 --- [元数据重新加载] o.s.s.s.m.MetadataManager:重新加载元数据已完成
如何排序这个错误?该样本是否可以在本地环境中运行和测试?或者我需要一些外部配置?
我建议你先从你的SP中实现spring-saml扩展开始。它将帮助您满足以下要求:
如何在我的Spring安全过滤器中填充Authentication对象(如果使用了AuthenticationProvider),
在SAML身份验证服务器中重定向到IDP的最佳方法。
实现注销功能的最佳方式。
在您的应用程序能够通过SAML使用IDP对用户进行身份验证之后,请扩展SAMLAuthenticationProvider类的实现。该类从IDP接收断言并验证它。验证断言后,您可以通过自定义实现userContextMapper将SAML令牌中的传入权限映射到本地权限。在这部分中,您可以生成JWT令牌并将其用于所有api调用。大多数IDP都提供了一个接口,用于将SAML令牌交换为OAuth2访问令牌。在这种情况下,您不必生成任何令牌。
如果您需要任何进一步的信息或细节,请与我们联系。
更新: