美文网首页
saml2.0(主要是idp端开发)

saml2.0(主要是idp端开发)

作者: 是你的小凉凉呀 | 来源:发表于2020-06-16 11:25 被阅读0次

    附上大佬文章:
    https://www.jianshu.com/p/d041935641b4
    https://www.jianshu.com/p/6f61fa7be0b6
    https://www.jianshu.com/p/6c72408fa480
    看了大佬的文章和demo基本能搞出来一套本地可用的saml2.0。
    在我开发过程中主要是我们作为IDP,做统一登录后发送给第三方SP做免登录。
    主要就几个过程:
    1.SP通过发送SAML AuthnRequest到IDP,来请求鉴别用户身份
    2.IDP验证身份,然后通过SAML产物响应(SAML Artifact Response)发送回SP
    其中几个点:
    1.记得初始化SAML,否则会出现NPE
    2.如果有需要POST请求,可通过简单form表单自动提交

    <html>
    <body>
    <form method="post" action="${url}" id="myForm">
        <input type="hidden" name="SAMLResponse" value="${responseValue}"/>
        <input type="hidden" name="RelayState" value="${xxx}"/>
        <input type="submit" value="Submit SAML2 Login Response"/></form>
    </body>
    </html>
    <script type="text/javascript">
        window.onload= function(){
            document.getElementById('myForm').submit();
        }
    </script>
    

    3.responseValue是response的base64加密
    4.opensaml 3 默认加密算法是sha256,如果需要sha1可能需要降低到opensaml 2
    5.opensaml 3 采用的是分开打包maven的方式,需要引入很多个模块,参考大佬文章,opensaml 2 是整体maven直接引入即可。例如:

    <!-- opensaml start -->
                <dependency>
                    <groupId>org.opensaml</groupId>
                    <artifactId>opensaml</artifactId>
                    <version>2.6.4</version>
                </dependency>
                <dependency>
                    <groupId>ch.qos.logback</groupId>
                    <artifactId>logback-core</artifactId>
                    <version>1.1.7</version>
                </dependency>
                <dependency>
                    <groupId>ch.qos.logback</groupId>
                    <artifactId>logback-classic</artifactId>
                    <version>1.1.7</version>
                </dependency>
                <dependency>
                    <groupId>commons-logging</groupId>
                    <artifactId>commons-logging</artifactId>
                    <version>1.2</version>
                </dependency>
                <dependency>
                    <groupId>org.opensaml</groupId>
                    <artifactId>xmltooling</artifactId>
                    <version>1.4.4</version>
                </dependency>
                <!-- opensaml end -->
    

    6.断言可以对assertion做,也可以对整个response做签名。根据需要自选。
    这个签名主要是idp端用证书私钥做签名,sp端用公钥做验签。
    我采用的是pfx的方式,把文件流读入,然后获取私钥,公钥。做签名

    public class CertificateUtils {
    
        private static final Logger LOGGER = LoggerFactory.getLogger(CertificateUtils.class);
    
        private static final String PFX_CERT_FILE_SUFFIX = ".pfx";
    
        public static X509CertificateWrapper getCertByFile(String fileName, String pfxOpenPwd) {
            if (isPfxCertFileName(fileName)) {
                return getPfxCert(fileName, pfxOpenPwd);
            } else {
                LOGGER.error("get pfx certificate info failed");
                throw new Exception(xxx);
            }
        }
    
        private static boolean isPfxCertFileName(String fileName) {
            return fileName.endsWith(PFX_CERT_FILE_SUFFIX);
        }
    
        private static X509CertificateWrapper getPfxCert(String fileName, String pfxOpenPwd){
            Assert.hasText(pfxOpenPwd, "pfx file open pwd missing");
            InputStream fileInputStream = getResourceAsStreamByFileName(fileName);
            return getPfxCertificate(fileInputStream, pfxOpenPwd);
        }
    
       //fileName 相对路径 比如resource/cert/xxx.pfx     fileName="cert/xxx.pfx"
        private static InputStream getResourceAsStreamByFileName(String fileName) {
            return Thread.currentThread().getContextClassLoader().getResourceAsStream(fileName);
        }
    
        private static char[] getFileOpenPwdChars(String fileOpenPwd) {
            if (StringUtils.isBlank(fileOpenPwd) || StringUtils.isBlank(StringUtils.trim(fileOpenPwd))) {
                return null;
            }
            return fileOpenPwd.toCharArray();
        }
    
        private static X509CertificateWrapper getPfxCertificate(InputStream inputStream, String pfxOpenPwd){
            X509CertificateWrapper x509CertificateWrapper = new X509CertificateWrapper(null, null) ;
            try {
                KeyStore ks = KeyStore.getInstance("PKCS12");
                char[] nPassword = getFileOpenPwdChars(pfxOpenPwd);
                ks.load(inputStream, nPassword);
                String keyAlias = getKeyAlias(ks);
                PrivateKey privateKey = (PrivateKey) ks.getKey(keyAlias, nPassword);
                X509Certificate cert = (X509Certificate) ks.getCertificate(keyAlias);
                String certStr = convertCertObj2certStr(cert);
                x509CertificateWrapper.setX509Certificate(cert);
                x509CertificateWrapper.setContent(certStr);
                x509CertificateWrapper.setPrivateKey(privateKey);
            } catch (KeyStoreException e) {
                throw new RuntimeException("Error occurred when read the pfx file stream", e);
            } catch (IOException e) {
                throw new RuntimeException("Error occurred when read the pfx file stream", e);
            } catch (NoSuchAlgorithmException e) {
                throw new RuntimeException("Error occurred when read the pfx file stream", e);
            } catch (CertificateException e) {
                throw new RuntimeException("Error occurred when read the pfx file stream", e);
            } catch (UnrecoverableKeyException e) {
                throw new RuntimeException("Error occurred when read the pfx file stream", e);
            } finally {
                try {
                    inputStream.close();
                } catch (IOException e) {
                    throw new RuntimeException("Error occurred when read the pfx file stream", e);
                }
            }
            return x509CertificateWrapper;
        }
    
        private static String getKeyAlias(KeyStore ks) throws KeyStoreException {
            Enumeration<String> aliases = ks.aliases();
            // we are read just one certificate.
            if (aliases.hasMoreElements()) {
                return aliases.nextElement();
            }
            return null;
        }
    
        public static String convertCertObj2certStr(Certificate certificate) {
            if (certificate == null) {
                return "";
            }
            try {
                String certStr = Base64.getEncoder().encodeToString(certificate.getEncoded());
                return certStr;
            } catch (CertificateEncodingException e) {
                LOGGER.error("convertCertObj2certStr error, CertificateEncodingException {}", e);
                return "";
            }
        }
    
    public class X509CertificateWrapper {
        private X509Certificate x509Certificate;
    
        private PrivateKey privateKey;
    
        private String content;
    
        public X509CertificateWrapper(X509Certificate x509Certificate, String content) {
            this.content = content;
            this.x509Certificate = x509Certificate;
        }
    
        public X509Certificate getX509Certificate() {
            return x509Certificate;
        }
    
        public void setX509Certificate(X509Certificate x509Certificate) {
            this.x509Certificate = x509Certificate;
        }
    
        public String getContent() {
            return content;
        }
    
        public PrivateKey getPrivateKey() {
            return privateKey;
        }
    
        public void setPrivateKey(PrivateKey privateKey) {
            this.privateKey = privateKey;
        }
    
        public void setContent(String content) {
            this.content = content;
        }
    }
    

    demo两个:
    opensaml 3.2.0
    https://github.com/sunrongxin7666/OpenSAML-ref-project-demo-v3

    opensaml 2.2.3
    https://github.com/xiaosiyuan/saml

    相关文章

      网友评论

          本文标题:saml2.0(主要是idp端开发)

          本文链接:https://www.haomeiwen.com/subject/hcylxktx.html