配置 Spring 安全 SAML 以使用 SHA-256 作为安全哈希算法
Configure Spring Security SAML to use SHA-256 as secure hash algorithm
我正在研究 Spring SAML 和 Microsoft ADFS 3.0 之间的集成。即使它已经在 the documentation of Spring SAML 中声明为:
Open the provider by double-clicking it, select tab Advanced and change
"Secure hash algorithm" to SHA-1
据我所知,Spring SAML 目前仅支持 SHA-1 作为哈希算法,但我的要求是使用 SHA-256。如果我尝试仅在 ADFS 中为 SHA-256 配置,它不起作用。我想我必须用 Spring SAML 做点什么。你知道怎么做吗?
您应该配置 Spring 安全配置以使用 SHA-256 签名算法。
您可以覆盖 SAMLBootstrap 或像这样配置 initializing bean:
Spring 配置:
<bean id="samlProperties" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location" value="classpath:saml.properties" />
</bean>
<bean class="your.package.SAMLConfigurationBean">
<property name="signatureAlgorithm" value="${saml.signatureAlgorithm:SHA1}" />
</bean>
属性文件 (saml.properties):
saml.signatureAlgorithm=SHA256
正在初始化 bean:
package your.package;
import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.signature.SignatureConstants;
import org.springframework.beans.factory.InitializingBean;
public class SAMLConfigurationBean implements InitializingBean {
private String signatureAlgorithm ;
private String digestAlgorithm;
public void setSignatureAlgorithm(String algorithm) {
switch (algorithm) {
case "SHA256" :
signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA256;
break;
case "SHA512" :
signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512;
digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA512;
break;
default:
signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA1;
}
}
@Override
public void afterPropertiesSet() throws Exception {
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", signatureAlgorithm);
config.setSignatureReferenceDigestMethod(digestAlgorithm);
}
}
您也可以跳过可配置部分,只满足于此:
正在初始化 bean:
package your.package;
import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.signature.SignatureConstants;
import org.springframework.beans.factory.InitializingBean;
public class SAMLConfigurationBean implements InitializingBean {
@Override
public void afterPropertiesSet() throws Exception {
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
}
}
我建议参考这个 GitHub 示例项目:https://github.com/choonchernlim/spring-security-adfs-saml2
其中提供了 ADFS 专用配置信息以及如何启用 SHA-256 签名的详细信息。
我正在研究 Spring SAML 和 Microsoft ADFS 3.0 之间的集成。即使它已经在 the documentation of Spring SAML 中声明为:
Open the provider by double-clicking it, select tab Advanced and change "Secure hash algorithm" to SHA-1
据我所知,Spring SAML 目前仅支持 SHA-1 作为哈希算法,但我的要求是使用 SHA-256。如果我尝试仅在 ADFS 中为 SHA-256 配置,它不起作用。我想我必须用 Spring SAML 做点什么。你知道怎么做吗?
您应该配置 Spring 安全配置以使用 SHA-256 签名算法。
您可以覆盖 SAMLBootstrap 或像这样配置 initializing bean:
Spring 配置:
<bean id="samlProperties" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location" value="classpath:saml.properties" />
</bean>
<bean class="your.package.SAMLConfigurationBean">
<property name="signatureAlgorithm" value="${saml.signatureAlgorithm:SHA1}" />
</bean>
属性文件 (saml.properties):
saml.signatureAlgorithm=SHA256
正在初始化 bean:
package your.package;
import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.signature.SignatureConstants;
import org.springframework.beans.factory.InitializingBean;
public class SAMLConfigurationBean implements InitializingBean {
private String signatureAlgorithm ;
private String digestAlgorithm;
public void setSignatureAlgorithm(String algorithm) {
switch (algorithm) {
case "SHA256" :
signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA256;
break;
case "SHA512" :
signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512;
digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA512;
break;
default:
signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA1;
}
}
@Override
public void afterPropertiesSet() throws Exception {
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", signatureAlgorithm);
config.setSignatureReferenceDigestMethod(digestAlgorithm);
}
}
您也可以跳过可配置部分,只满足于此:
正在初始化 bean:
package your.package;
import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.signature.SignatureConstants;
import org.springframework.beans.factory.InitializingBean;
public class SAMLConfigurationBean implements InitializingBean {
@Override
public void afterPropertiesSet() throws Exception {
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
}
}
我建议参考这个 GitHub 示例项目:https://github.com/choonchernlim/spring-security-adfs-saml2
其中提供了 ADFS 专用配置信息以及如何启用 SHA-256 签名的详细信息。