亚洲视频二区_亚洲欧洲日本天天堂在线观看_日韩一区二区在线观看_中文字幕不卡一区

本文介紹了使用G Suite作為IdP的Spring Security SAML2的處理方法，對(duì)大家解決問題具有一定的參考價(jià)值，需要的朋友們下面隨著小編來一起學(xué)習(xí)吧！

問題描述

我正在嘗試使用Spring Security(5.3.3.RELEASE)來處理Spring Boot應(yīng)用程序中的SAML2身份驗(yàn)證。帶有BE SP和G Suite的Spring Boot應(yīng)用程序?qū)⒊蔀镮dP。

在我的Maven pom.xml文件中有：

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-saml2-service-provider</artifactId>
        </dependency>

在我的代碼中有：

@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Bean
    public RelyingPartyRegistration googleRegistration() throws CertificateException {

        final String idpEntityId = "https://accounts.google.com/o/saml2?idpid=REDACTED";
        final String webSsoEndpoint = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED";
        final String registrationId = "gsuite";
        final String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
        final String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
        final byte[] certBytes = ("-----BEGIN CERTIFICATE-----
" +
                "REDACTED
" +
                "-----END CERTIFICATE-----").getBytes();
        final InputStream is = new ByteArrayInputStream(certBytes);
        final CertificateFactory cf = CertificateFactory.getInstance("X.509");
        final X509Certificate cert = (X509Certificate) cf.generateCertificate(is);

        final Saml2X509Credential credential = new Saml2X509Credential(cert,
                Saml2X509CredentialType.SIGNING); // THIS IS THE PROBLEM

        return RelyingPartyRegistration.withRegistrationId(registrationId)
                .providerDetails(config -> config.entityId(idpEntityId))
                .providerDetails(config -> config.webSsoUrl(webSsoEndpoint))
                .credentials(c -> c.add(credential))
                .localEntityIdTemplate(localEntityIdTemplate)
                .assertionConsumerServiceUrlTemplate(acsUrlTemplate)
                .build();
    }

    @Bean
    public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(
            final RelyingPartyRegistration googleRegistration) {

        return new InMemoryRelyingPartyRegistrationRepository(googleRegistration);
    }

    @Override
    protected void configure(final HttpSecurity http) throws Exception {

        http
                .authorizeRequests(authorize -> authorize
                        .anyRequest().authenticated())
                .saml2Login();
    }
}

問題是我需要一個(gè)簽名密鑰，但是final Saml2X509Credential credential = new Saml2X509Credential(cert, Saml2X509CredentialType.SIGNING);行拋出了一個(gè)異常，因?yàn)槟仨殞?code>PrivateKey傳遞給該構(gòu)造函數(shù)才能將其用于SIGNING類型。但是，如果我使用該憑據(jù)進(jìn)行驗(yàn)證，應(yīng)用程序?qū)⑹?，并且需要簽名密鑰。

G Suite僅提供一個(gè)元數(shù)據(jù)XML文件(Spring Security不支持)和一個(gè).pem文件。我將.pem文件中的所有文本復(fù)制到上面的字符串中以生成X509證書。

在Spring Security SAML的文檔中，他們顯示2個(gè)證書，但G Suite只提供1個(gè)。我是否應(yīng)該從.pem文件生成PrivateKey？如果是，如何？

推薦答案

開始工作！

密鑰正在禁用簽名。

    @Bean
    public RelyingPartyRegistration googleRegistration() throws CertificateException {

        // remote IDP entity ID
        final String idpEntityId = "https://accounts.google.com/o/saml2?idpid=REDACTED";
        // remote WebSSO Endpoint - Where to Send AuthNRequests to
        final String webSsoEndpoint = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED";
        // local registration ID
        final String registrationId = "gsuite";
        // local entity ID - autogenerated based on URL
        final String localEntityIdTemplate = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
        // local SSO URL - autogenerated, endpoint to receive SAML Response objects
        final String acsUrlTemplate = "{baseUrl}/login/saml2/sso/{registrationId}";
        // local signing (and local decryption key and remote encryption certificate)
        final byte[] certBytes = ("-----BEGIN CERTIFICATE-----
" +
                "REDACTED
" +
                "-----END CERTIFICATE-----").getBytes();
        final InputStream is = new ByteArrayInputStream(certBytes);
        final CertificateFactory cf = CertificateFactory.getInstance("X.509");
        final X509Certificate cert = (X509Certificate) cf.generateCertificate(is);

        final Saml2X509Credential credential = new Saml2X509Credential(cert,
                Saml2X509CredentialType.VERIFICATION, Saml2X509CredentialType.ENCRYPTION);

        return RelyingPartyRegistration.withRegistrationId(registrationId)
                .providerDetails(config -> config.entityId(idpEntityId))
                .providerDetails(config -> config.webSsoUrl(webSsoEndpoint))
                .providerDetails(config -> config.signAuthNRequest(false)) // THIS IS THE KEY
                .credentials(c -> c.add(credential))
                .localEntityIdTemplate(localEntityIdTemplate)
                .assertionConsumerServiceUrlTemplate(acsUrlTemplate)
                .build();
    }

這篇關(guān)于使用G Suite作為IdP的Spring Security SAML2的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，