Spring SAML 中的 SSL 对等主机名验证失败 [英] SSL peer failed hostname validation in Spring SAML

问题描述

我正在尝试将我的 Spring Boot 项目配置为针对第三方 IDP 使用 SAML 身份验证.我已经实现了使 vdenotaris 的配置与SSOCircle 提供程序，现在我想将其切换到其他提供程序.

I'm trying to configure my Spring Boot project to use SAML authentication against a third party IDP. I've already achieved to make the configuration from vdenotaris work with the SSOCircle provider and now I want to switch it to the other provider.

SAML 元数据端点启用了 HTTPS，我已经使用元数据中提供的证书(用于签名和加密)和 HTTP 端点提供的证书(基于 这个答案).然后，我将它们保存在证书文件 ($CERTIFICATE_FILE) 中，并使用此脚本生成我的密钥库:

The SAML metadata endpoint is HTTPS enabled and I've already created a keystore with both the certificate given in metadata (which is used for signing and encryption) and the one provided by the HTTP endpoint (based in this answer). Then, I save them in a cert file ($CERTIFICATE_FILE) and I use this script to generate my keystore:

keytool -delete -alias third-party -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD
keytool -import -alias third-party -file $CERTIFICATE_FILE -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD -noprompt
keytool -genkeypair -alias mycompany -keypass mycompanypass -keystore $KEYSTORE_FILE

然后，当使用此密钥库检索 SAML 元数据时，我收到此错误:

Then, when using this keystore to retrieve the SAML metadata, I get this error:

org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://third.party.provider/metadata
    at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274)
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:267)
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.doInitialization(AbstractReloadingMetadataProvider.java:236)
    at org.opensaml.saml2.metadata.provider.AbstractMetadataProvider.initialize(AbstractMetadataProvider.java:407)
    at org.springframework.security.saml.metadata.ExtendedMetadataDelegate.initialize(ExtendedMetadataDelegate.java:167)
    at org.springframework.security.saml.metadata.MetadataManager.initializeProvider(MetadataManager.java:412)
    at org.springframework.security.saml.metadata.MetadataManager.refreshMetadata(MetadataManager.java:238)
    at org.springframework.security.saml.metadata.CachingMetadataManager.refreshMetadata(CachingMetadataManager.java:86)
    at org.springframework.security.saml.metadata.MetadataManager$RefreshTask.run(MetadataManager.java:1040)
    at java.util.TimerThread.mainLoop(Timer.java:555)
    at java.util.TimerThread.run(Timer.java:505)
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from https://third.party.provider/metadata
    at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:274)
    at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:255)
    ... 9 common frames omitted
Caused by: javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
    at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:186)
    at org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:97)
    at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
    at org.opensaml.saml2.metadata.provider.HTTPMetadataProvider.fetchMetadata(HTTPMetadataProvider.java:250)
    ... 10 common frames omitted

这些是我基于 vdenotaris 链接项目中的配置的相关部分:

These ones are the relevant parts of my configuration based in the linked project by vdenotaris:

// Setup TLS Socket Factory
@Bean
public TLSProtocolConfigurer tlsProtocolConfigurer() {
    return new TLSProtocolConfigurer();
}

@Bean
public ProtocolSocketFactory socketFactory() {
    return new TLSProtocolSocketFactory(keyManager(), null, "allowAll");
}

@Bean
public Protocol socketFactoryProtocol() {
    return new Protocol("https", socketFactory(), 443);
}

@Bean
public MethodInvokingFactoryBean socketFactoryInitialization() {
    MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
    methodInvokingFactoryBean.setTargetClass(Protocol.class);
    methodInvokingFactoryBean.setTargetMethod("registerProtocol");
    Object[] args = { "https", socketFactoryProtocol() };
    methodInvokingFactoryBean.setArguments(args);
    return methodInvokingFactoryBean;
}

// Central storage of cryptographic keys
@Bean
public KeyManager keyManager() {
    DefaultResourceLoader loader = new DefaultResourceLoader();
    Resource storeFile = loader.getResource("classpath:/saml/mySamlKeystore.jks");
    String storePass = "storepass";
    Map<String, String> passwords = new HashMap<String, String>();
    passwords.put("mycompany", "mycompanypass");
    String defaultKey = "mycompany";
    return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}

然而，在这里我发现了一些误解.据我所知，TLSProtocolConfigurer 自己创建了一个 TLSProtocolSocketFactory，那么为什么示例项目会同时创建两个 bean?根据 docs 使用 TLSProtocolConfigurer 应该就足够了，但是如何创建 socketFactoryProtocol()?

However, here I found some misconceptions. As far as I know, the TLSProtocolConfigurer creates a TLSProtocolSocketFactory itself, why is the sample project creating both beans then? According to the docs using TLSProtocolConfigurer should be enough, but how to create socketFactoryProtocol()?

如果能在这里提供一些光线，我将不胜感激.

I would be grateful to have some light in here.

推荐答案

我没有为导入的证书文件提供密码:

I wasn't providing the password for the imported cert file:

@Bean
public KeyManager keyManager() {
    DefaultResourceLoader loader = new DefaultResourceLoader();
    Resource storeFile = loader.getResource("classpath:/saml/mySamlKeystore.jks");
    String storePass = "storepass";
    Map<String, String> passwords = new HashMap<String, String>();
    passwords.put("mycompany", "mycompanypass");
    passwords.put("third-party", "mycompanypass");
    String defaultKey = "mycompany";
    return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}

有了这个，应用程序可以从密钥库中读取证书并信任它们，而无需将它们安装在 JDK cacerts 中.

With this, the application can read the certs from the keystore and trust them, without the need of installing them in the JDK cacerts.

这篇关于Spring SAML 中的 SSL 对等主机名验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！