在解密Saml令牌时获取错误 [英] Getting error while decryptition of Saml token
问题描述
我在解密saml令牌时遇到错误。但是,重新启动服务器后,此问题不一致。它工作正常直到昨晚:(
I am getting error while decryption of saml token. However this issue is not consistent it works after restarting server. It was working properly till last night :(
DEBUG Decrypter:631 - Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed:
org.opensaml.xml.encryption.DecryptionException: Probable runtime exception on decryption:unknown parameter type.
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:705)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:628)
at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:783)
at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:524)
at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:442)
at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:403)
at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: unknown parameter type.
at org.bouncycastle.jce.provider.JCERSACipher.engineInit(Unknown Source)
at javax.crypto.Cipher.implInit(Cipher.java:791)
at javax.crypto.Cipher.chooseProvider(Cipher.java:849)
at javax.crypto.Cipher.init(Cipher.java:1348)
at javax.crypto.Cipher.init(Cipher.java:1282)
at org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1475)
at org.opensaml.xml.encryption.Decrypter.decryptKey(Decrypter.java:697)
... 41 more
09:21:51,120 ERROR Decrypter:639 - Failed to decrypt EncryptedKey, valid decryption key could not be resolved
09:21:51,120 DEBUG Decrypter:787 - Attempt to decrypt EncryptedData using key extracted from EncryptedKey faile
之前我得到了invalide密钥大小错误,我在$ b $的帮助下修复了b Spring SAML ADFS:java.security.InvalidKeyException 。但是我不确定它是否会对美国的安全政策法产生任何影响。
Earlier I was getting invalide key size error which I fixed with the help of Spring SAML ADFS: java.security.InvalidKeyException. However I am not sure whether it will have any impact on US security policy law.
但是这个解密异常没有得到解决而且不一致。有一段时间它在重新启动服务器后开始工作。
But this decrypt exception is not getting resolved and its not consistent. Some time it starts working after restarting server.
我在过去2-3天内尝试了所有这些以及所有内容。我认为问题发生在元数据刷新之后,所以我尝试将下面的属性添加到ResourceBackedMetadataProvider bean但没有运气。
I tried each and everything in last 2-3 days. I thought issue occurs after metadata refresh so I tried adding below property to ResourceBackedMetadataProvider bean but no luck.
<property name="parserPool" ref="parserPool"/>
<property name="minRefreshDelay" value="120000"/>
<property name="maxRefreshDelay" value="300000"/>
然后我调试WebSSOProfileConsumerImpl.java代码,认为这个问题与 jira 所以我签出了最新的代码并创建了新的jar并添加到我的项目中但没有运气。
Then i debug WebSSOProfileConsumerImpl.java code thought this mught be the issue related to jira so I checkout the latest code and create new jar and added to my project but no luck.
推荐答案
在调试和谷歌搜索花了一个星期之后,我决定用一点点黑客解决这个问题。
After spending one week in debugging and googling, I have decide to fix this issue with a little hack.
我从gitHub Repository的master分支检查了Spring-Saml源代码并构建jar并将其导入到我的项目中。我认为这个 SES-144 问题与我的相似,所以我尝试了最新的代码,没有运气。
I checked out Spring-Saml source code from Master branch of gitHub Repository and build jar and import it into my project. I thought this SES-144 issue is similar to mine, so I tried with latest code but no luck.
所以我决定调试xmlTooling.jar代码并找到确切的失败点并覆盖以下方法 decryptKey(EncryptedKey encryptedKey ,字符串算法)在 XMLCipher.java 中,代码如下。
So I decided to to debug xmlTooling.jar code and find the exact point of failure and overwrote the below method decryptKey(EncryptedKey encryptedKey, String algorithm) in XMLCipher.java with below code.
Cipher c = constructCipher(encryptedKey.getEncryptionMethod()
.getAlgorithm(), encryptedKey.getEncryptionMethod()
.getDigestAlgorithm());
Instead of calling
c.init(4, key, oaepParameters);
used below code and removed if/else block
c.init(4, key);
您可以从 github
您需要使用pom.xml文件中的以下行更新saml依赖项使用这个自定义jar
You need to update your saml dependency with below lines in pom.xml file to use this custom jar
<dependency>
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml2-core</artifactId>
<version>1.0.1.RELEASE</version>
<exclusions>
<exclusion>
<artifactId>xmlsec</artifactId>
<groupId>org.apache.santuario</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<artifactId>xmlsec</artifactId>
<groupId>org.apache.santuario</groupId>
<version>1.5.6-custom</version>
</dependency>
如果有人找到更好的解决方案,请告诉我。
If anyone find better solution please let me know.
这篇关于在解密Saml令牌时获取错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
