1
Okta를 이미 봄 보안이 구현 된 스프링 응용 프로그램에 통합하려고합니다. 성공적으로 응용 프로그램에 로그인 할 수있는 프로젝트에 스프링 샘을 성공적으로 추가했습니다. 그러나 기본 Java 키 저장소를 사용하고 설명서 (http://docs.spring.io/spring-security-saml/docs/current/reference/html/security.html) 제안 된 다른 jks 사용하고 싶습니다.SAML 문제 Okta에서
jam과 관련하여 spring saml 확장이 작동하는 방식에 대해 몇 가지 질문이 있습니다.
- 샘플 jks에는 두 개의 키가 있습니다. 하나는 PrivateKeyEntry이고 다른 하나는 trustedCertEntry입니다. "trustedCertEntry"는 IDP로부터 수집되어야하는 공개 키입니까?
- JKS는 어설 션 메시지의 암호를 해독하고 https 핸드 셰이크에 사용되지 않는다고 생각합니다. 그 가정이 맞습니까?
제공된 JKS를 apollo 및 startcom와 함께 사용하면 성공적으로 로그인 할 수 있습니다. 그러나 Okta의 SAML 구성에서 주장 암호화 (Encryption Algorithm : AES256-CBC, Key Transport Algorithm : RSA-OAEP)를 활성화하면 실패하기 시작합니다. IDP의 공개 키를 사용하지 않기 때문에 이것이라고 믿습니다. 그래서 Okta 인증서 파일을 받았습니다.
내가했던 CERT는 파일의 새로운 JKS를 만들고 가져올 다음
keytool -genkeypair -alias self-signed -keypass default1! -keystore samlKeystore.jks
keytool -importcert -alias okta-pub -file okta.cert -keystore samlKeystore.jks
그래서 지금 내 키 스토어는 다음과 같다 :
keytool -list -keystore samlKeystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
okta-pub, Jul 19, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): F2:2C:97:68:47:AF:17:B3:B0:9D:C0:07:09:2F:9A:90:DF:79:E5:CD
self-signed, Jul 19, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 99:21:35:CA:AA:AF:33:44:81:78:67:95:7A:1D:1D:6A:BA:5C:96:5D
나는 내 보안 컨텍스트 파일을 업데이트합니다
를<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="default1!"/>
<constructor-arg>
<map>
<entry key="self-signed" value="default1!"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="self-signed"/>
</bean>
SAML 로그인을 시도 할 때이 예외가 발생합니다 :
[talledLocalContainer] 190716 12.43.03,777 {} {} {} ERROR (Decrypter.java:639) Failed to decrypt EncryptedKey, valid decryption key could not be resolved
[talledLocalContainer] 190716 12.43.03,777 {} {} {} ERROR (Decrypter.java:532) Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver
[talledLocalContainer] 190716 12.43.03,778 {} {} {} ERROR (Decrypter.java:143) SAML Decrypter encountered an error decrypting element content
[talledLocalContainer] org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData
여기에 언급 된 JCE 무제한 강도 라이브러리를 사용해 보았습니다 : Decrypting encrypted assertion using SAML 2.0 in java using OpenSAML. 하지만 그건 내 문제를 해결하지 못했습니다.
제안 사항? jks 파일을 올바르게 작성하고 있습니까?
편집 1 : 이 전체 스택 추적은이 :
[talledLocalContainer] 190716 13.45.27,717 {} {} {} ERROR (Decrypter.java:143) SAML Decrypter encountered an error decrypting element content
[talledLocalContainer] org.opensaml.xml.encryption.DecryptionException: Failed to decrypt EncryptedData
[talledLocalContainer] at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535) ~[xmltooling-1.4.1.jar:?]
[talledLocalContainer] at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442) ~[xmltooling-1.4.1.jar:?]
[talledLocalContainer] at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403) ~[xmltooling-1.4.1.jar:?]
[talledLocalContainer] at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) [opensaml-2.6.1.jar:?]
[talledLocalContainer] at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) [opensaml-2.6.1.jar:?]
[talledLocalContainer] at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
[talledLocalContainer] at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:87) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
[talledLocalContainer] at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) [spring-security-core-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:87) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
[talledLocalContainer] at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at com.aspectsecurity.contrast.teamserver.security.auth.rest.RestAuthenticationFilter.doFilter(RestAuthenticationFilter.java:67) [RestAuthenticationFilter.class:?]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.1.8.RELEASE.jar:4.1.8.RELEASE]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87) [spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) [spring-security-web-3.2.9.RELEASE.jar:3.2.9.RELEASE]
[talledLocalContainer] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) [spring-web-4.1.8.RELEASE.jar:4.1.8.RELEASE]
[talledLocalContainer] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) [spring-web-4.1.8.RELEASE.jar:4.1.8.RELEASE]
[talledLocalContainer] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.61]
[talledLocalContainer] at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.1.8.RELEASE.jar:4.1.8.RELEASE]
[talledLocalContainer] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.1.8.RELEASE.jar:4.1.8.RELEASE]
[talledLocalContainer] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.61]
[talledLocalContainer] at com.aspectsecurity.contrast.teamserver.webapp.filter.WebSecurityFilter.doFilter(WebSecurityFilter.java:79) [WebSecurityFilter.class:?]
[talledLocalContainer] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.61]
[talledLocalContainer] at com.aspectsecurity.contrast.teamserver.webapp.filter.ESAPIThreadLocalFilter.doFilter(ESAPIThreadLocalFilter.java:34) [ESAPIThreadLocalFilter.class:?]
[talledLocalContainer] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) [log4j-web-2.4.1.jar:2.4.1]
[talledLocalContainer] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) [catalina.jar:7.0.61]
[talledLocalContainer] at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) [tomcat-coyote.jar:7.0.61]
[talledLocalContainer] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620) [tomcat-coyote.jar:7.0.61]
[talledLocalContainer] at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) [tomcat-coyote.jar:7.0.61]
[talledLocalContainer] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [?:1.7.0_79]
[talledLocalContainer] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [?:1.7.0_79]
[talledLocalContainer] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-coyote.jar:7.0.61]
[talledLocalContainer] at java.lang.Thread.run(Thread.java:745) [?:1.7.0_79]
정보를 제공해 주셔서 감사합니다. 당신이 제공 한 keytool 명령에 관해서; 왜 키 스토어를 인증서로 내 보낸 다음 다시 추가합니까? IDP에서 cert 파일을 가져 와서 import 명령을 수행했습니다. RSA에 대해''-keyalg RSA''' 명령을 사용 했습니까? – Dan
첫 번째 명령은 키 저장소를 생성합니다. 두 번째 명령은 IDP에로드 할 수있는 공용 인증서를 내 보냅니다. 세 번째는 IDP 인증서를로드하는 방법의 예입니다. 예, RSA를 만들기 위해 -keyalg RSA를 사용했습니다. – blur0224
문제점 : 나열한 두 번째 keytool 명령에서 .cer 파일을 내 보내지 않았습니다. 도움을 주셔서 감사합니다! – Dan