使用Spring的SAML扩展与Java中的Google App Engine一起使用SP实现 [英] SP implementation using Spring SAML extension with Google App Engine in Java

问题描述

我尝试使用第三方IdP制作托管在Google应用引擎上的SP，并且遇到了多个问题。

我使用Spring SAML Java的扩展。我能够从官方指南 http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/chapter-quick-start.html a>用作IdP idp.ssocircle.com。

现在我的问题出现了，我尝试将此代码集成到我的GAE项目中。当使用GAE运行时，我可以进入重定向阶段，在ssocircle.com上进行登录，并在那里我应该重定向到我的页面时出现此错误：错误401身份验证失败：错误解码传入的SAML消息，并在本地GAE服务器日志上，我可以看到此消息

[INFO] Dec 17，2014 5:21:23 PM org.apache.commons .httpclient.HttpMethodDirector executeWithRetry [INFO] INFO：在处理请求时捕获I / O异常（java.net.SocketException）：Permission denied：不允许发出套接字绑定：权限被拒绝。

我想知道这是否是GAE对套接字的限制：1）套接字仅适用于付费应用程序（我没有付费应用程序，但可以考虑使用此选项）2）您无法创建听插座;你只能创建出站套接字。 3）您不能绑定到特定的IP地址或端口。 （对我来说，这听起来像是我的问题）。

然后我尝试在GAE上部署该应用程序，由于其他错误，应用程序仍处于启动循环状态关于嵌套异常是java.security.AccessControlException：访问被拒绝（java.lang.RuntimePermissionmodifyThreadGroup），这听起来像是另一个GAE限制。

在某些时候，我准备放弃，因为我认为SAML Spring扩展不能用于GAE，因为GAE存在局限性。但是我看到你在GAE上有一个相同的项目作为演示运行（或者至少我认为它是在GAE上运行的，因为域名中的appspot部分）。 https：//saml-federation.appspot .com / saml / discovery？returnIDParam = idp& entityID = saml-federation.appspot.com

如果您能提供一些关于我的问题，最好的情况是，如果你能帮助我使用这个演示项目的源代码（无法在任何地方找到它）以及GAE所需的所有配置。

解决方案

我创建了一个新的存储库 https： //github.com/vschafer/spring-security-saml-gae ，其中包含在Google Application Engine上部署Spring SAML应用程序的说明。它还包括有助于避免您面临的问题的类（套接字和线程）。

为了使用它：

• 包含从您的项目中的回购库创建的jar


• 使用提供的 org.springframework ... StaticFilesystemMetadataProvider 用于加载元数据
如果使用HTTP-Artifact绑定替换bean org.springframework ...

• ... ArtifactResolutionProfileImpl with org.springframework ... google.ArtifactResolutionProfileGAE

请评论如果您在文档或代码中发现一些错误。

I try to make a SP hosted on Google app engine, with a third party IdP, and I'm facing multiple problems.

I'm using Spring SAML extension for java. I was able to run the stand alone (not in GAE) demo app, from the official guide http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/chapter-quick-start.html using as IdP idp.ssocircle.com.

Now my problem comes whey I tried to integrate this code in my GAE project. When running with GAE I can get to the phase where I'm redirected to do the login on ssocircle.com and from there when I should be redirected back to my page I'm getting this error: "Error 401 Authentication Failed: Error decoding incoming SAML message", and on local GAE server logs I can see this message

"[INFO] Dec 17, 2014 5:21:23 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry [INFO] INFO: I/O exception (java.net.SocketException) caught when processing request: Permission denied: Not allowed to issue a socket bind: permission denied."

I was wondering if this is a limitation from GAE regarding sockets: 1) Sockets are available only for paid apps (I don't have a paid app, but could consider this options) 2) You cannot create a listen socket; you can only create outbound sockets. 3) You cannot bind to specific IP addresses or ports. (for me this one sounds like it is my problem).

And whey I tried to deploy on GAE, the app remained in a start-up loop because of other errors regarding "nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "modifyThreadGroup")", that sounds like another GAE limitation to me.

At some point I was ready to gave up, because I was thinking that SAML Spring extension can't work with GAE, because of limitations present on GAE. But I see you have the same project running as a demo on GAE (or at least I think it is running on GAE because of the appspot part in domain name). https://saml-federation.appspot.com/saml/discovery?returnIDParam=idp&entityID=saml-federation.appspot.com

I would appreciate if you can give me some hints regarding my problems, and best would be if you could help me with the source code of this demo project (could not find it anywhere), and all configuration that is needed for GAE.

解决方案

I've created a new repository https://github.com/vschafer/spring-security-saml-gae which includes instructions for deployment of Spring SAML applications on Google Application Engine. It also includes classes helping to avoid issues you're facing (sockets and threads).

In order to use it:

• include the jar created from the repo in your project
• use the provided org.springframework...StaticFilesystemMetadataProvider for loading of your metadata
• in case you are using HTTP-Artifact binding replace bean org.springframework...ArtifactResolutionProfileImpl with org.springframework...google.ArtifactResolutionProfileGAE

Please comment if you spot some mistakes in the documentation or code.

这篇关于使用Spring的SAML扩展与Java中的Google App Engine一起使用SP实现的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！