问题描述
我正在测试一个使用spring-security-saml并使用KeyCloak作为身份验证提供程序的应用程序。默认情况下,KeyCloak可以在带有自签名证书的http和https上运行。
在https:// localhost:8543 / auth / realms / master / protocol / saml / descriptor的浏览器中通过https检索元数据时,它会正确返回以下内容:
<md:EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:Metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:Metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Name="urn:keycloak">
<md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:Metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:Metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://localhost:8543/auth/realms/master">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>phlmLKZ2YqrT_0hsZQYSpBPrZxPmgNdI3I2AmPQFjg8</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>MIICmzCCAYMCBgF05GlTszANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAxMDAxMTM0NDAyWhcNMzAxMDAxMTM0NTQyWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYxMG75gqear+r+4fyvmyNSMcHzB46HRk7sNd0Y9LDbuUT24KoyBz5A0ln1WyvCszoxpKcuKMcwGUP+kszbo8D3FjH+2zET+KoilEzdbn3g0JP6K8BUPyOoBftmRCujaI/kEjya1AQzM44xvFPp6hFlsgiCqk6NJe8eWlRyv6/VE2MB+WSKq0OOtZz+PrMHvJC6R50xm4dlxLRCPXJ3HA9J78ghQTziPs69kCi90xsuYubX+qs8KfDPy1i8geZZM+PXQrPfM1BcAnwe7hUayqMLk5OeVrixm1KEZhqHMKaCXhDJE3uH4c++/TR++zIbdz2x15k24D569gxPSKlcYpjAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAB5SYnR0JFWMRE1qutLArc4NeD3DjbyBwvOZacslRz3T7paZe3O0SmKQGPkUyARrERvV01R8Q04OVuf+/UJ2fgYqRTthh5G0Y2qak9UL7oefrsuB15C4ZEjBJnoBZNzDXhmDYoOguxrxXMN9XPgJSO08+7l8nJE6V1cu4811+ksV67JaNkk6oU1V3/HU5+tRc2GpjiwO0qr4dKOGrrfRuRZ7BqzgLh/KcZOxvc5hbmxvtJrGh/xuuspAG/3akeEXTD754YLoZVFJTJOdXlbaBrfSvvIndV/gVfJyAavTGQBCcz+bucJ2ijNa394S36t5KrU9Hu4hXC0TgPbFPq7IrIk=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SinglelogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
<md:SinglelogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://localhost:8543/auth/realms/master/protocol/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
</md:EntitiesDescriptor>
当我为应用程序提供相同的元数据位置时,它最终尝试将我发送到不带端口8543的URL,即使该端口位于上述所有位置上也是如此:
https:// localhost / auth / realms / master / protocol / saml
调试到OpenSAML代码后,端口似乎从AbstractMetadataProvider的第460行返回,解析原始IDP元数据后,似乎丢失了端口:
protected XMLObject unmarshallMetadata(InputStream MetadataInput) throws UnmarshallingException {
try {
log.trace("Parsing retrieved Metadata into a DOM object");
Document mdDocument = parser.parse(MetadataInput);
有什么方法可以控制它并使它遵守元数据xml中的端口?
解决方法
进一步调试后,HTTPMetadataProvider获得的原始响应中也没有该端口。
事实证明,该问题是由于HttpClient的配置错误而导致的,该HttpClient未在主机标头中发送端口,因此Keycloak没有响应端口。