OpenSAML2.X 在SSO系统中的应用

背景

年底的时候有机会开发一个SPA（单页面应用）的项目，那时候须要用到票据的方式能够用Cookie的方式来登录。当是想到了OpenID或者是CAS的方式来做统一认证中心。后来一个安全界的大牛推荐让我用SAML，就走上了一条SAML路。后来因为个人原因离开了那个SPA项目，离开的时候SAML还没有開始做，仅仅是大致上了解一些，后来在工作之余还是把OpenSAML2.X 完好成项目。

项目地址：https://github.com/MrsSunny/SSO-OpenSAML

项目介绍

OpenSAML在网上的资料也不是非常多。在国内用到的应该也不是非常多，自己摸索着做了一下，有可能自己对OpenSAML的理解不够到位
有一起研究的同学发邮箱到liuzhenx@hotmail.com一起学习。假设有错误的地方欢迎指正。 非常感谢。

项目准备

安装Java
安装Maven
安装Eclipse

Maven 配置

配置OpenSAML 依赖
(详细的maven配置能够參考我GitHub上的项目)

<dependency>
    <groupId>org.opensaml</groupId>
    <artifactId>opensaml</artifactId>
    <version>2.6.4</version>
</dependency>

使用方式

OpenSAML提供了几种方式来实现SSO之间SAML传输数据。本文主要对HTTP Artifact Binding 做个简介

项目流程

1.用户訪问SP的受保护资源
2.SP检查是否实用户的Session。假设用则直接訪问
3.假设没有Session上下文SP随机生成Artifact，并生成AuthnRequest
假设在Cookie中发现票据信息，把票据信息放到AuthnRequest其中
4.SP建立Artifact与AuthnRequest的关联信息
5.SP重定向到IDP的接受Artifact接口，用Get方式发送Artifact，和SP在IDP中的注冊ID
6.IDP接受Artifact。然后用HTTP POST方式来请求SP的getAuthnRequest接口(參数为Artifact)
7.SP 接受到IDP传过来的Artifact ，依据Artifact 把关联的AuthnRequest返回给IDP
8.IDP接受到getAuthnRequest然后来验证AuthnRequest的有效性，检查 Status Version 等信息。假设Cookie中的票据不为空，则检查票据是否正确。是否在有效期内。假设票据为空，则重定向用户到登录页面来提交信息。
9.假设票据正确或者用户通过输入usernamepassword等信息通过验证。则IDP生成Artifact对象，IDP生成Response对象，并依据用户信息生成断言，同一时候对Response 中的 断言做签名处理，对票据对象做加密和签名处理，并把票据信息写入Cookie，并建立Artifact与Response的关联关系，并重定向浏览器到SP的getArtifact接口
10. SP 接受到Artifact，并通过HTTP POST的方式把Artifact发送到IDP
11. IDP通过Artifact找到关联的Response对象返回给SP
12.SP接受到IDP传输过来的Response对象。首先对Response中的断言做验签操作。假设通过，则允许用户訪问资源。

⚠️：事实上对于SP和IDP而言重要的信息事实上是AuthnRequest和Response。仅仅只是每次传输到浏览器的时候都是传递的是各自的引用，然后SP和IDP再更具饮用来获取 真实的数据。

这样做安全性可能更高一点，可是添加了SP和IDP之间的通信。

⚠️：其中用到的证书都是自己用OpenSSL自己制定。

參考地址：http://blog.csdn.net/howeverpf/article/details/21622545

SP端发送Artifact的JSP页面

<body>
    <form action="<%=SysConstants.IDPRECEIVESPARTIFACT_URL%>" method="get" name = "autoForm">
        <input type="hidden" name="artifact" value="<%=request.getAttribute(SysConstants.ARTIFACT_KEY)%>" />
        <input type="hidden" name="token" value="<%=request.getAttribute(SysConstants.TOKEN_KEY)%>" />
    </form>
</body>
<script type="text/javascript">
    document.autoForm.submit();
</script>

IDP 端接收Artifact的代码

    // 获取Artifact
    String artifactBase64 = request.getParameter(SysConstants.ARTIFACT_KEY);
    if (null == artifactBase64) {
      throw new RuntimeException("SP端传递的Artifact參数错误，该參数不可为空");
    }
    final ArtifactResolve artifactResolve = samlService.buildArtifactResolve();
    final Artifact artifact = (Artifact) samlService.buildStringToXMLObject(artifactBase64);
    artifactResolve.setArtifact(artifact);
    // 对artifactResolve对象进行签名操作
    samlService.signXMLObject(artifactResolve);
    String artifactParam = samlService.buildXMLObjectToString(artifactResolve);
    String postResult = null;
    //依据Artifact信息从SP中获取Auth Request信息
    try {
      postResult = HttpUtil.doPost(SysConstants.SP_ARTIFACT_RESOLUTION_SERVICE, artifactParam);
    } catch (Exception e) {
      throw new RuntimeException("訪问SP端的：" + SysConstants.SP_ARTIFACT_RESOLUTION_SERVICE + "服务错误" + e.getMessage());
    }
    if (null == postResult || "".equals(postResult)) {
      return "redirect:/loginPage";
    }
    final ArtifactResponse artifactResponse = (ArtifactResponse) samlService.buildStringToXMLObject(postResult);
    final Status status = artifactResponse.getStatus();
    if (null == status) {
      throw new RuntimeException("client的Status不能为空");
    }
    StatusCode statusCode = status.getStatusCode();
    if (null == statusCode) {
      throw new RuntimeException("无法获取statusCode");
    }
    String codeValue = statusCode.getValue();
    // 推断SAML的StatusCode
    if (codeValue == null || !codeValue.equals(StatusCode.SUCCESS_URI)) {
      throw new RuntimeException("无法获取codeValue， 认证失败， SP端数据错误");
    }
    final String inResponseTo = artifactResponse.getInResponseTo();
    final String artifactResolveID = artifactResolve.getID();
    if (null == inResponseTo || !inResponseTo.equals(artifactResolveID)) {
      logger.error("artifact的值和接收端的inResponseTo的值不一致。认证错误");
      throw new RuntimeException("artifact的值和接收端的inResponseTo的值不一致，认证错误");
    }
    final AuthnRequest authnRequest = (AuthnRequest) artifactResponse.getMessage();
    if (authnRequest == null) {
      throw new RuntimeException("无法获取AuthRequest数据。认证错误");
    }
    // 获取SP的消费URL。下一步回调须要用到
    final String customerServiceUrl = authnRequest.getAssertionConsumerServiceURL();
    if (null == customerServiceUrl) {
      throw new RuntimeException("无法获取customerServiceUrl，SP端数据错误");
    }
    request.setAttribute(SysConstants.ACTION_KEY, customerServiceUrl);
    HttpSession session = request.getSession(false);
    session.setAttribute(SysConstants.ACTION_KEY, customerServiceUrl);
    final SAMLVersion samlVersion = authnRequest.getVersion();

    // 推断版本号是否支持
    if (null == samlVersion || !SAMLVersion.VERSION_20.equals(samlVersion)) {
      throw new RuntimeException("SAML版本号错误，仅仅支持2.0");
    }

    final Issuer issuer = authnRequest.getIssuer();
    final String appName = issuer.getValue();

    // 推断issure的里面的值是否在SSO系统中注冊过
    final App app = appService.findAppByAppName(appName.trim());
    if (app == null) {
      throw new RuntimeException("不支持当前系统: " + appName);
    }

    Subject subject = authnRequest.getSubject();
    NameID nameID = subject.getNameID();
    String ticket = nameID.getValue();
    if ("".equals(ticket) || null == ticket) {
      return "redirect:/loginPage";
    }
    try {
      ticket = URLDecoder.decode(ticket, SysConstants.CHARSET);
    } catch (UnsupportedEncodingException e) {
      e.printStackTrace();
    }
    /**
     * 解密ticket
     */
    PrivateKey privateKey = samlService.getRSAPrivateKey();
    String[] afterDecode = null;
    try {
      byte[] ticketArray = Base64.decode(ticket);
      byte[] decryptTicketArray = RSACoder.INSTANCE.decryptByPrivateKey(privateKey, ticketArray);
      String decryptTicket = new String(decryptTicketArray);
      afterDecode = decryptTicket.split(SysConstants.TICKET_SPILT);
    } catch (Exception e) {
      return "redirect:/loginPage";
    }
    logger.debug("Ticket验证痛过");
    // 推断令牌是否过期，假设令牌过期则直接
    if (afterDecode == null || afterDecode.length != 3) {
      return "redirect:/loginPage";
    }
    long expireTime = Long.parseLong(afterDecode[2]);
    long nowTime = System.currentTimeMillis();
    if (expireTime < nowTime) {
      logger.debug("Token已过期");
      return "redirect:/loginPage";
    }
    final Artifact idpArtifact = samlService.buildArtifact();
    final Response samlResponse = samlService.buildResponse(UUIDFactory.INSTANCE.getUUID());
    long id = Long.parseLong(afterDecode[0]);
    User user = new User();
    user.setId(id);
    user.setEmail(afterDecode[1]);
    samlService.addAttribute(samlResponse, user);
    SSOHelper.INSTANCE.put(idpArtifact.getArtifact(), samlResponse);
    request.setAttribute(SysConstants.ARTIFACT_KEY, samlService.buildXMLObjectToString(idpArtifact));
    return "/saml/idp/send_artifact_to_sp";

SP接受Artifact的代码

    String spArtifact = request.getParameter(SysConstants.ARTIFACT_KEY);
    if (null == spArtifact) {
      throw new RuntimeException("无法获取IDP端传过来的Artifact");
    }
    ArtifactResolve artifactResolve = samlService.buildArtifactResolve();
    Artifact artifact = (Artifact) samlService.buildStringToXMLObject(spArtifact);
    artifactResolve.setArtifact(artifact);
    samlService.signXMLObject(artifactResolve);
    String requestStr = samlService.buildXMLObjectToString(artifactResolve);
    String postResult = null;
    try {
      postResult = HttpUtil.doPost(SysConstants.IDP_ARTIFACT_RESOLUTION_SERVICE, requestStr);
    } catch (Exception e) {
      e.printStackTrace();
      logger.error("訪问IDP的" + SysConstants.IDP_ARTIFACT_RESOLUTION_SERVICE + "服务错误");
    }
    if (null == postResult) {
      throw new RuntimeException("从" + SysConstants.IDP_ARTIFACT_RESOLUTION_SERVICE + "服务获取的数据为空，请检查IDP端数据格式");
    }
    ArtifactResponse artifactResponse = (ArtifactResponse) samlService.buildStringToXMLObject(postResult);
    SAMLObject samlObject = artifactResponse.getMessage();
    if (null == samlObject) {
      throw new RuntimeException("无法获取Response信息");
    }
    Response samlResponse = (Response) samlObject;
    List<Assertion> assertions = samlResponse.getAssertions();
    if (null == assertions || assertions.size() == 0) {
      throw new RuntimeException("无法获取断言，请又一次发起请求！！
！
");
    }
    Assertion assertion = samlResponse.getAssertions().get(0);
    if (assertion == null) {
      request.setAttribute(SysConstants.ERROR_LOGIN, true);
    } else {
      /**
       * 验证签名
       */
      boolean signSuccess = samlService.validate(assertion);
      if (!signSuccess) {
        throw new RuntimeException("验证签名错误");
      }
      HttpSession session = request.getSession(false);
      List<AttributeStatement> arrtibuteStatements = assertion.getAttributeStatements();
      if (null == arrtibuteStatements || arrtibuteStatements.size() == 0) {
        throw new RuntimeException("无法获取属性列表。请又一次发起请求");
      }
      AttributeStatement attributeStatement = assertion.getAttributeStatements().get(0);
      List<Attribute> list = attributeStatement.getAttributes();
      if (null == list) {
        throw new RuntimeException("无法获取属性列表IDP端错误");
      }
      User user = new User();
      list.forEach(pereAttribute -> {
        String name = pereAttribute.getName();
        XSString value = (XSString) pereAttribute.getAttributeValues().get(0);
        String valueString = value.getValue();
        if (name.endsWith("Name")) {
          user.setName(valueString);
        } else if (name.equals("Id")) {
          user.setId(Long.parseLong(valueString));
        } else if (name.equals("LoginId")) {
          user.setLogin_id(valueString);
        } else if (name.equals("Email")) {
          user.setEmail(valueString);
        }
      });
      session.setAttribute(SysConstants.LOGIN_USER, user);
      putAuthnToSecuritySession("admin", "admin");
      request.setAttribute(SysConstants.ERROR_LOGIN, false);
    }

学习目标

感觉自己认识的不够全面，希望有同学一起研究一下，特别是SP端发送Auth Request的时候，应该带上什么数据，票据是否在这个阶段发送，以及怎么发送。有兴趣的同学能够把GitHub告诉我一起来完好这个项目。