У меня есть приложение, которое поддерживает единый вход на основе SAML, используя Spring Security.После успешной аутентификации из CAS (например, PingFederate) я получаю следующую ошибку: ОШИБКА [STDERR] java.security.KeyStoreException: Неинициализированное хранилище ключей
Я использую Spring-security-saml2-core.jar Реализация-версия:1.0.5.RELEASE, Created-By: 1.8.0_144 (Oracle Corporation) для того же самого.
Это работает до JAVA 8, но перестало работать после перехода на JAVA 11. После некоторых исследований я получилЗнайте, что это потому, что тип хранилища ключей PKCS12 используется по умолчанию в JAVA 9 и далее (до java 9 это был JKS).
Но расширение SAML безопасности Spring, которое я использую [spring-security-saml2-coreВерсия реализации .jar: 1.0.5.RELEASE, Создано: 1.8.0_144 (корпорация Oracle)] имеет только реализацию JKSKeyManager и EmptyKeyManager .
Iпопытался реализовать интерфейс org.springframework.security.saml.key.KeyManager для поддержки PKCS12KeyManager таким образом, чтобы он читал хранилище ключей pkcs12.Но это не работает.
Обходной путь:
- Update keystore.type property from <JAVAInstallDir>\conf\security\java.security file to keystore.type=pkcs12
- Restart the application and it works as it was working before.
Примечание. Этот обходной путь повлияет на все приложения, использующие одну и ту же JAVA.Следовательно, я ищу решение.
Вот как я загружаю бин KeyManager:
@Bean
public KeyManager keyManager() {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource storeFile = loader
.getResource(properties.getStoreFile());
String storePass = properties.getStorePass();
Map<String, String> passwords = new HashMap<>();
passwords.put(properties.getDefaultKey(), properties.getPassword());
String defaultKey = properties.getDefaultKey();
return new JKSKeyManager(storeFile, storePass, passwords, defaultKey);
}
Я ожидаю, что SSO на основе SAML должен работать плавно (после перехода на JAVA 11), но получаяследующая ошибка (stacktrace):
2019-04-04 16:09:34,644 ERROR [STDERR] java.security.KeyStoreException: Uninitialized keystore
2019-04-04 16:09:34,646 ERROR [STDERR] at java.base/java.security.KeyStore.aliases(KeyStore.java:1267)
2019-04-04 16:09:34,647 ERROR [STDERR] at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:233)
2019-04-04 16:09:34,648 ERROR [STDERR] at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:165)
2019-04-04 16:09:34,649 ERROR [STDERR] at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:170)
2019-04-04 16:09:34,653 ERROR [STDERR] at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:175)
2019-04-04 16:09:34,655 ERROR [STDERR] at org.apache.commons.ssl.TrustMaterial.<clinit>(TrustMaterial.java:88)
2019-04-04 16:09:34,656 ERROR [STDERR] at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359)
2019-04-04 16:09:34,657 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201)
2019-04-04 16:09:34,658 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176)
2019-04-04 16:09:34,659 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.extractCertificates(InlineX509DataProvider.java:192)
2019-04-04 16:09:34,660 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider.process(InlineX509DataProvider.java:126)
2019-04-04 16:09:34,661 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfoChild(BasicProviderKeyInfoCredentialResolver.java:300)
2019-04-04 16:09:34,667 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfoChildren(BasicProviderKeyInfoCredentialResolver.java:256)
2019-04-04 16:09:34,668 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.processKeyInfo(BasicProviderKeyInfoCredentialResolver.java:190)
2019-04-04 16:09:34,669 ERROR [STDERR] at org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver.resolveFromSource(BasicProviderKeyInfoCredentialResolver.java:149)
2019-04-04 16:09:34,670 ERROR [STDERR] at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
2019-04-04 16:09:34,671 ERROR [STDERR] at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:37)
2019-04-04 16:09:34,673 ERROR [STDERR] at org.opensaml.security.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:275)
2019-04-04 16:09:34,674 ERROR [STDERR] at org.springframework.security.saml.trust.MetadataCredentialResolver.retrieveFromMetadata(MetadataCredentialResolver.java:123)
2019-04-04 16:09:34,678 ERROR [STDERR] at org.opensaml.security.MetadataCredentialResolver.resolveFromSource(MetadataCredentialResolver.java:178)
2019-04-04 16:09:34,680 ERROR [STDERR] at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
2019-04-04 16:09:34,681 ERROR [STDERR] at org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:37)
2019-04-04 16:09:34,682 ERROR [STDERR] at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:98)
2019-04-04 16:09:34,683 ERROR [STDERR] at org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine.validate(ExplicitKeySignatureTrustEngine.java:49)
2019-04-04 16:09:34,684 ERROR [STDERR] at org.opensaml.ws.security.provider.BaseTrustEngineRule.evaluate(BaseTrustEngineRule.java:104)
2019-04-04 16:09:34,686 ERROR [STDERR] at org.opensaml.ws.security.provider.BaseTrustEngineRule.evaluate(BaseTrustEngineRule.java:91)
2019-04-04 16:09:34,687 ERROR [STDERR] at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:128)
2019-04-04 16:09:34,691 ERROR [STDERR] at org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate(SAMLProtocolMessageXMLSignatureSecurityPolicyRule.java:107)
2019-04-04 16:09:34,692 ERROR [STDERR] at org.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51)
2019-04-04 16:09:34,694 ERROR [STDERR] at org.opensaml.ws.message.decoder.BaseMessageDecoder.processSecurityPolicy(BaseMessageDecoder.java:132)
2019-04-04 16:09:34,695 ERROR [STDERR] at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:83)
2019-04-04 16:09:34,696 ERROR [STDERR] at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70)
2019-04-04 16:09:34,697 ERROR [STDERR] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
2019-04-04 16:09:34,698 ERROR [STDERR] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
2019-04-04 16:09:34,704 ERROR [STDERR] at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
2019-04-04 16:09:34,705 ERROR [STDERR] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
2019-04-04 16:09:34,706 ERROR [STDERR] at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
2019-04-04 16:09:34,708 ERROR [STDERR] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
2019-04-04 16:09:34,709 ERROR [STDERR] at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
2019-04-04 16:09:34,710 ERROR [STDERR] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
2019-04-04 16:09:34,717 ERROR [STDERR] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
2019-04-04 16:09:34,718 ERROR [STDERR] at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
2019-04-04 16:09:34,719 ERROR [STDERR] at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
2019-04-04 16:09:34,720 ERROR [STDERR] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
2019-04-04 16:09:34,721 ERROR [STDERR] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
2019-04-04 16:09:34,724 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
2019-04-04 16:09:34,729 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
2019-04-04 16:09:34,730 ERROR [STDERR] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
2019-04-04 16:09:34,731 ERROR [STDERR] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
2019-04-04 16:09:34,732 ERROR [STDERR] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
2019-04-04 16:09:34,734 ERROR [STDERR] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
2019-04-04 16:09:34,735 ERROR [STDERR] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
2019-04-04 16:09:34,736 ERROR [STDERR] at mks.frame.server.services.PTCErrorReportValve.invoke(PTCErrorReportValve.java:108)
2019-04-04 16:09:34,741 ERROR [STDERR] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
2019-04-04 16:09:34,742 ERROR [STDERR] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
2019-04-04 16:09:34,743 ERROR [STDERR] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
2019-04-04 16:09:34,744 ERROR [STDERR] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
2019-04-04 16:09:34,745 ERROR [STDERR] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
2019-04-04 16:09:34,747 ERROR [STDERR] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1506)
2019-04-04 16:09:34,748 ERROR [STDERR] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
2019-04-04 16:09:34,749 ERROR [STDERR] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
2019-04-04 16:09:34,762 ERROR [STDERR] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
2019-04-04 16:09:34,764 ERROR [STDERR] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
2019-04-04 16:09:34,765 ERROR [STDERR] at java.base/java.lang.Thread.run(Thread.java:834)
2019-04-04 16:09:34,777 ERROR [mksis.IntegrityServer] * * * * ERROR * * * * (0): ilm-https-jsse-nio-443-exec-2: javax.servlet.ServletException -- javax.servlet.ServletException: Filter execution threw an exception
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
Кто-нибудь сталкивался с этой проблемой и есть решение?