Spring SAML ADFS: java.security.InvalidKeyException

问题

I have the task to implement a accessibility to an Active Directory Federation Services (SSL) with a LDAP behind. At first I have to to say that my experience in ADFS and SAML is very small. I have decide to take the Spring Security SAML Extension to implement this feature. I download and install the SAML extension for the Spring Security project from GIThub: https://github.com/spring-projects/spring-security-saml

I found in the official documentation http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/ under point "6. IDP integration guide" the instructions which I have all done.

• I download the metadata from the ADFS-Server
• I stored the downloaded metadata under saml2-sample/WEB-INF/src/main/resources/security/FederationMetadata.xml and enhance securityContext.xml how it is described
• After starting the web application the system generate automatically the metadata document
• I create a metadata.xml and gave it to the system administrator of the ADFS-server
• The system administrator make the rest of the points done.

After this I wanted test the Login. After I select the IDP and click at the Login-Button, I was asked for the credentials. After transmit the credentials I get the following result / exception:

- Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
- SAML protocol message was not signed, skipping XML signature processing
- Successfully decoded message.
- Checking SAML message intended destination endpoint against receiver endpoint
- Intended message destination endpoint: ........
- Actual message receiver endpoint: ........
- SAML message intended destination endpoint matched recipient endpoint
- Verifying issuer of the message
- Decrypting assertion
- Getting key iterator from next resolver: class org.opensaml.xml.encryption.InlineEncryptedKeyResolver
- Found matching encrypted key: org.opensaml.xml.encryption.impl.EncryptedKeyImpl@78f5b81e
- Added decryption key algorithm criteria: RSA
- Error decrypting the encrypted data element
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
Original Exception was java.security.InvalidKeyException: Illegal key size
    at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(Unknown Source)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:574)
    at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:763)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:513)
    at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:440)
    at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:401)
    at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141)
    at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69)
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:190)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:81)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:724)

Can anybody help me with this problem?

Best Regards Thomas

回答1:

This is probably caused by the initially limited cryptographic capabilities of Java. The documentation of the Spring Securtiy SAML extension, might give one a hit with this issue:

Due to US export limitations Java JDK comes with a limited set of cryptography capabilities. Usage of the SAML Extension might require installation of the Unlimited Strength Jurisdiction Policy Files which removes these limitations.

You can pick up the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 from http://www.oracle.com/technetwork/java/javase/downloads/index.html - this should solve the issue.

回答2:

This is probably because the key you generated was too small - try the

-keysize 2048

parameter in the keytool command.

来源：https://stackoverflow.com/questions/18893568/spring-saml-adfs-java-security-invalidkeyexception