Spring SAML ADFS:java.security.InvalidKeyException [英] Spring SAML ADFS: java.security.InvalidKeyException

问题描述

我的任务是使用 LDAP 实现对 Active Directory 联合身份验证服务 (SSL) 的可访问性.首先不得不说，我在ADFS和SAML方面的经验非常少.我决定采用 Spring Security SAML 扩展来实现此功能.我从 GIThub 下载并安装 Spring Security 项目的 SAML 扩展:https://github.com/spring-projects/spring-security-saml

I have the task to implement a accessibility to an Active Directory Federation Services (SSL) with a LDAP behind. At first I have to to say that my experience in ADFS and SAML is very small. I have decide to take the Spring Security SAML Extension to implement this feature. I download and install the SAML extension for the Spring Security project from GIThub: https://github.com/spring-projects/spring-security-saml

我在官方文档中找到http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/在6. IDP 集成指南"点下，我已经完成了所有说明.

I found in the official documentation http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/ under point "6. IDP integration guide" the instructions which I have all done.

• 我从 ADFS 服务器下载元数据
• 我将下载的元数据存储在 saml2-sample/WEB-INF/src/main/resources/security/FederationMetadata.xml 并增强了 securityContext.xml 的描述方式
• 启动 Web 应用程序后，系统会自动生成元数据文档
• 我创建了一个 metadata.xml 并将其提供给 ADFS 服务器的系统管理员
• 系统管理员完成其余的点.

在此之后我想测试登录.在我选择 IDP 并单击登录按钮后，系统要求我提供凭据.传输凭据后，我得到以下结果/异常:

After this I wanted test the Login. After I select the IDP and click at the Login-Button, I was asked for the credentials. After transmit the credentials I get the following result / exception:

- Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
- SAML protocol message was not signed, skipping XML signature processing
- Successfully decoded message.
- Checking SAML message intended destination endpoint against receiver endpoint
- Intended message destination endpoint: ........
- Actual message receiver endpoint: ........
- SAML message intended destination endpoint matched recipient endpoint
- Verifying issuer of the message
- Decrypting assertion
- Getting key iterator from next resolver: class org.opensaml.xml.encryption.InlineEncryptedKeyResolver
- Found matching encrypted key: org.opensaml.xml.encryption.impl.EncryptedKeyImpl@78f5b81e
- Added decryption key algorithm criteria: RSA
- Error decrypting the encrypted data element
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
Original Exception was java.security.InvalidKeyException: Illegal key size
    at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(Unknown Source)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:574)
    at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:763)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:513)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:440)
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:401)
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:190)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:81)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:724)

有人能帮我解决这个问题吗?

Can anybody help me with this problem?

最好的问候托马斯

推荐答案

这可能是由于 Java 最初有限的加密功能造成的.Spring Securtiy SAML 扩展的文档可能会对这个问题产生影响:

This is probably caused by the initially limited cryptographic capabilities of Java. The documentation of the Spring Securtiy SAML extension, might give one a hit with this issue:

由于美国的出口限制，Java JDK 附带了一组有限的密码学能力.使用 SAML 扩展可能需要安装 Unlimited Strength Jurisdiction Policy Files消除了这些限制.

Due to US export limitations Java JDK comes with a limited set of cryptography capabilities. Usage of the SAML Extension might require installation of the Unlimited Strength Jurisdiction Policy Files which removes these limitations.

您可以从 http://www.oracle.com/technetwork/java/javase/downloads/index.html - 这应该可以解决问题.

You can pick up the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 from http://www.oracle.com/technetwork/java/javase/downloads/index.html - this should solve the issue.

这篇关于Spring SAML ADFS:java.security.InvalidKeyException的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！