验证 SAML 响应
Validate SAML Response
我有一个 SAML 响应和一些其他数据。基于此,我需要验证响应是否已被篡改。我该怎么做?
我有什么?
带有签名消息和断言的 SAML 响应
IdP 实体 ID
SP EntityId
SP ACS 端点
目标URL
X509 格式的 IdP 证书。
需要的语言:JAVA
找到解决办法了。如果有人在找的话。
try {
InputStream is = new FileInputStream("<CERTIFICATE FILE>");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = cf.generateCertificate(is);
X509Certificate x509Certificate = (X509Certificate) cert;
PublicKey pk = x509Certificate.getPublicKey();
BasicX509Credential publicCredential = new BasicX509Credential();
publicCredential.setPublicKey(pk);
SignatureValidator signatureValidator = new SignatureValidator(publicCredential);
SignableSAMLObject signableSAMLObject = (SignableSAMLObject) <XML OBJECT>;
Signature signature = signableSAMLObject.getSignature();
signatureValidator.validate(signature);
}catch(Exception ex){
// fail this.
}
XML 可以通过以下方式使用编组器从 SAML 消息中获取对象:
String encodedMessage = request.getParameter(PARAM_SAML);
String decodedMessage = new String(Base64.decodeBase64(encodedMessage.getBytes()));
DefaultBootstrap.bootstrap();
BasicParserPool ppMgr = new BasicParserPool();
ppMgr.setNamespaceAware(true);
Document responseRoot = ppMgr.parse(new StringReader(decodedMessage));
UnmarshallerFactory unmarshallFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallFactory.getUnmarshaller(responseRoot.getDocumentElement());
XMLObject obj = unmarshaller.unmarshall(responseRoot.getDocumentElement());
我有一个 SAML 响应和一些其他数据。基于此,我需要验证响应是否已被篡改。我该怎么做?
我有什么?
带有签名消息和断言的 SAML 响应
IdP 实体 ID
SP EntityId
SP ACS 端点
目标URL
X509 格式的 IdP 证书。
需要的语言:JAVA
找到解决办法了。如果有人在找的话。
try {
InputStream is = new FileInputStream("<CERTIFICATE FILE>");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = cf.generateCertificate(is);
X509Certificate x509Certificate = (X509Certificate) cert;
PublicKey pk = x509Certificate.getPublicKey();
BasicX509Credential publicCredential = new BasicX509Credential();
publicCredential.setPublicKey(pk);
SignatureValidator signatureValidator = new SignatureValidator(publicCredential);
SignableSAMLObject signableSAMLObject = (SignableSAMLObject) <XML OBJECT>;
Signature signature = signableSAMLObject.getSignature();
signatureValidator.validate(signature);
}catch(Exception ex){
// fail this.
}
XML 可以通过以下方式使用编组器从 SAML 消息中获取对象:
String encodedMessage = request.getParameter(PARAM_SAML);
String decodedMessage = new String(Base64.decodeBase64(encodedMessage.getBytes()));
DefaultBootstrap.bootstrap();
BasicParserPool ppMgr = new BasicParserPool();
ppMgr.setNamespaceAware(true);
Document responseRoot = ppMgr.parse(new StringReader(decodedMessage));
UnmarshallerFactory unmarshallFactory = Configuration.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallFactory.getUnmarshaller(responseRoot.getDocumentElement());
XMLObject obj = unmarshaller.unmarshall(responseRoot.getDocumentElement());