1. Zuhause
  2. Frage und Antwort
  3. Grails 2.5.6 und SAML 2.0

Grails 2.5.6 und SAML 2.0

2017-12-11 6 views
1

Ich benutze Grails 2.5.6 und ich versuche, Saml mit dem Plugin zu konfigurieren.Grails 2.5.6 und SAML 2.0

Ich kann den saml Login aufrufen, aber nach meinem Login bekomme ich eine blanc Site mit Redirect Loop.

BuildConfig:

dependencies{ 
    /*...*/ 
    compile('org.springframework.security.extensions:spring-security-saml2-core:1.0.2.RELEASE'){ 
     export = false 
    } 

    compile('org.springframework.security:spring-security-core:3.2.9.RELEASE') 
    compile('org.springframework.security:spring-security-web:3.2.9.RELEASE') 
} 

plugins{ 
    /*...*/   
    compile ":spring-security-core:2.0.0" 
    compile ":spring-security-saml:2.0.0" 
}

Config:

grails.plugin.springsecurity.userLookup.userDomainClassName = "de.streit.user.User" 
grails.plugin.springsecurity.userLookup.authorityJoinClassName = "de.streit.security.UserRole" 
grails.plugin.springsecurity.authority.className = "de.streit.security.Role" 
grails.plugin.springsecurity.requestMap.className = 'de.streit.security.Requestmap' 
grails.plugin.springsecurity.securityConfigType = 'Requestmap' 
grails.plugin.springsecurity.authenticationFailureUrl = '/login/authfail?login_error=1' 

// Define the authentication providers 
grails.plugin.springsecurity.providerNames = ["samlAuthenticationProvider"] 
grails.plugin.springsecurity.useSwitchUserFilter = true 

//SAML 
grails.plugin.springsecurity.saml.active = true 
grails.plugin.springsecurity.saml.metadata.providers = [idp: 'security/idp.xml'] 
grails.plugin.springsecurity.saml.metadata.defaultIdp = 'idp' 
grails.plugin.springsecurity.saml.metadata.sp.defaults = [ 
    signingKey: 'estar', 
    encryptionKey: 'estar', 
    tlsKey: 'estar', 
    alias  : 'http://localhost:8080/Organisationsportal' 
]

SP.XML:

<?xml version="1.0" encoding="UTF-8"?> 
<md:EntityDescriptor entityID="http://localhost:8080/Organisationsportal" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> 
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <md:Extensions> 
     <idpdisco:DiscoveryResponse xmlns:idpdisco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
            Location="http://localhost:8080/Organisationsportal/spring-security-saml/login/auth"/> 
    </md:Extensions> 
    <md:KeyDescriptor use="signing"> 
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
      <ds:X509Data> 
       <ds:X509Certificate> 
        MIIC9jCCArSgAwIBAgIETo67pDALBgcqhkjOOAQDBQAwXjELMAkGA1UEBhMCVUsxEDAOBgNVBAgT 
        B1Vua25vd24xDzANBgNVBAcTBmxvbmRvbjENMAsGA1UEChMEYnVyYjENMAsGA1UECxMEYnVyYjEO 
        MAwGA1UEAxMFZmVyb3owHhcNMTExMDA3MDg0MzE2WhcNMTIwMTA1MDg0MzE2WjBeMQswCQYDVQQG 
        EwJVSzEQMA4GA1UECBMHVW5rbm93bjEPMA0GA1UEBxMGbG9uZG9uMQ0wCwYDVQQKEwRidXJiMQ0w 
        CwYDVQQLEwRidXJiMQ4wDAYDVQQDEwVmZXJvejCCAbgwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OB 
        HXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/y 
        ZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq 
        7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7 
        +jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCjrh4r 
        s6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GFAAKB 
        gQDKBDz1DFPPmmWp9n1FskJOev7CnnVFsKji1NLUDdifvS+uW+cnvnDfD3yPdxzUeknCrPTBRp+B 
        IvYUvLQ57LMIuLgKQ12RujGl0Oz9JbFMAHuBV2I/7ZykzGQPysSEqKCqG+kDc8VZ4AfIf/S8YnQk 
        xqdWQ5jLTIzXvcWd0WEYbDALBgcqhkjOOAQDBQADLwAwLAIUGP/oZpi79ZM1793XzZvnmrnmz5gC 
        FBm4bDN8h/0hAa83jaD8joLr098I 
       </ds:X509Certificate> 
      </ds:X509Data> 
     </ds:KeyInfo> 
    </md:KeyDescriptor> 
    <md:KeyDescriptor use="encryption"> 
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
      <ds:X509Data> 
       <ds:X509Certificate> 
        MIIC9jCCArSgAwIBAgIETo67pDALBgcqhkjOOAQDBQAwXjELMAkGA1UEBhMCVUsxEDAOBgNVBAgT 
        B1Vua25vd24xDzANBgNVBAcTBmxvbmRvbjENMAsGA1UEChMEYnVyYjENMAsGA1UECxMEYnVyYjEO 
        MAwGA1UEAxMFZmVyb3owHhcNMTExMDA3MDg0MzE2WhcNMTIwMTA1MDg0MzE2WjBeMQswCQYDVQQG 
        EwJVSzEQMA4GA1UECBMHVW5rbm93bjEPMA0GA1UEBxMGbG9uZG9uMQ0wCwYDVQQKEwRidXJiMQ0w 
        CwYDVQQLEwRidXJiMQ4wDAYDVQQDEwVmZXJvejCCAbgwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OB 
        HXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/y 
        ZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq 
        7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7 
        +jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCjrh4r 
        s6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GFAAKB 
        gQDKBDz1DFPPmmWp9n1FskJOev7CnnVFsKji1NLUDdifvS+uW+cnvnDfD3yPdxzUeknCrPTBRp+B 
        IvYUvLQ57LMIuLgKQ12RujGl0Oz9JbFMAHuBV2I/7ZykzGQPysSEqKCqG+kDc8VZ4AfIf/S8YnQk 
        xqdWQ5jLTIzXvcWd0WEYbDALBgcqhkjOOAQDBQADLwAwLAIUGP/oZpi79ZM1793XzZvnmrnmz5gC 
        FBm4bDN8h/0hAa83jaD8joLr098I 
       </ds:X509Certificate> 
      </ds:X509Data> 
     </ds:KeyInfo> 
    </md:KeyDescriptor> 
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/Organisationsportal/spring-security-saml/saml/SingleLogout"/> 
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/Organisationsportal/spring-security-saml/saml/SingleLogout"/> 
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:8080/Organisationsportal/spring-security-saml/saml/SingleLogout"/> 
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> 
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> 
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> 
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> 
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat> 
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/Organisationsportal/spring-security-saml/saml/SSO" index="0" isDefault="true"/> 
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://localhost:8080/Organisationsportal/spring-security-saml/saml/SSO" index="1" isDefault="false"/> 
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://localhost:8080/Organisationsportal/spring-security-saml/saml/SSO" index="2" isDefault="false"/> 
</md:SPSSODescriptor>

ipd.xml:

<?xml version="1.0"?> 
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:8080/Organisationsportal" cacheDuration="PT1440M" ID="XpK4KzotwbSFUKx.-NtBzfGDWti"> 
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    <md:KeyDescriptor use="signing"> 
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
      <ds:X509Data> 
       <ds:X509Certificate> 
        MIICRTCCAa6gAwIBAgIGAR0gYMbwMA0GCSqGSIb3DQEBBQUAMGYxCzAJBgNVBAYTAlVTMQswCQYD 
        VQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMQwwCgYDVQQKEwNEZXYxDTALBgNVBAsTBFBpbmcxHDAa 
        BgNVBAMTE0NvbmZpZyBTaWduaW5nIENlcnQwHhcNMDgxMDIxMTcwODEyWhcNMTMxMDIwMTcwODEy 
        WjBmMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ08xDzANBgNVBAcTBkRlbnZlcjEMMAoGA1UEChMD 
        RGV2MQ0wCwYDVQQLEwRQaW5nMRwwGgYDVQQDExNDb25maWcgU2lnbmluZyBDZXJ0MIGfMA0GCSqG 
        SIb3DQEBAQUAA4GNADCBiQKBgQDQeOdW6I2hyXCQn0X/+8/BzLfRfdy1kN54lmVauYEpaPHQo7by 
        gPPRPUTDC3LgJGfk4NWkPaM+EOeLzuVw9rbD3gjfsex6hUElkvUzPqXqNN3sq/2hm+FJup+GakE9 
        WCoEP5sGvlJshH00a4MSzjGTBBqqjsXaWDZ7Sy9UAGw5BQIDAQABMA0GCSqGSIb3DQEBBQUAA4GB 
        AKSNMImzVs7L+tfortt7RBFMzc/JLE8qnulY32FrWA3ZLrD+08EBeIp1iwdJ8AGpii3SFV3oV3xu 
        92Qy2WqsBwj1erYdKW5mrfAbThkwL5N7jRsjJyXnIcx3IBvRD+O+LIDHck0cSgmN14ghleeslx0Q 
        15kyBdoxbv6pR0k4xOaF 
       </ds:X509Certificate> 
      </ds:X509Data> 
     </ds:KeyInfo> 
    </md:KeyDescriptor> 
    <md:SingleSignOnService Location="*1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> 
    <md:SingleLogoutService Location="*1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> 
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> 
</md:IDPSSODescriptor>

* 1 Ich entfernte das, weil es von meiner Firma ..

Ich weiß nicht, was Ich bin fehlt.

ich definde eine Bohne in der Ressource für die userDetailsService aber meine Feder weiß nicht, dass im eingeloggt.

Dank

Marvin THOR

Quelle

2017-12-11 Marvin Thör

Antwort

2

ich die Probleme lösen könnte ich hatte.
Ich werde meine Lösung hier schreiben.
resources.groovy

userDetailsService(OwnSpringSamlUserDetailsService){ 
samlUserService = ref("samlUserService")//This is a own Service 
    grailsApplication = ref("grailsApplication") 
} 

springSecurityService(OwnSpringSecurityService){ 
config = SpringSecurityUtils.securityConfig 
authenticationTrustResolver = ref('authenticationTrustResolver') 
    grailsApplication = ref('grailsApplication') 
    passwordEncoder = ref('passwordEncoder') 
    objectDefinitionSource = ref('objectDefinitionSource') 
    userDetailsService = ref('userDetailsService') 
    userCache = ref('userCache') 
}

Das Problem hierbei ist, dass die SAML-Federüberschreibung der GetCurrentUser Methode.

BuildConfig.groovy

dependencies{  
    //SAML 
    compile('org.springframework.security.extensions:spring-security-saml2-core:1.0.2.RELEASE'){ 
     export = false 
    } 

    compile('org.springframework.security:spring-security-core:3.2.9.RELEASE') 
    compile('org.springframework.security:spring-security-web:3.2.9.RELEASE') 
} 

plugins{ 
    compile ":spring-security-core:2.0.0" 
    compile ":spring-security-saml:2.0.0" 
}

SAML-Plugin verwendet, um eine alte Version des Federkerns so schließe ich die 3.2.9 Version zu arbeiten.

Config.groovy

grails.plugin.springsecurity.logout.filterProcessesUrl = "/saml/SingleLogout" 

// Define the authentication providers 
grails.plugin.springsecurity.providerNames = ["samlAuthenticationProvider"] 

//SAML 
grails.plugin.springsecurity.saml.metadata.sp.defaults = [ 
     alias : 'localhost:dev:YOUR-APPNAME', 
     entityBaseURL: 'http://localhost:8080/YOUR-APPNAME' 
] 
grails.plugin.springsecurity.saml.metadata.url = "YOUR-METADATA-URL" 
grails.plugin.springsecurity.saml.metadata.providers = ['ping': 'security/idp.xml']

Sie haben den Alias ​​für das sp.xml einzustellen. Bei mir URLs funktioniert das Alias ​​nicht.

UrlMapping.groovy

//SAML 
"/saml/logout"(controller: 'logout', action: 'index')

habe ich diese UrlMapping für den Abmelde

Für die sp.xml ich die generierten XML verwendet, aber ich änderte die entityID zu:
localhost: dev : DEINE-APPNAME

Quelle

2017-12-14 08:38:45

Verwandte Themen

 Verwandte Themen