Why is cacerts ignored in Spring Saml?

假装没事ソ 提交于 2019-12-11 12:56:42

问题


I've made an implementation based on this with a FilesystemMetadataProvider: https://github.com/vdenotaris/spring-boot-security-saml-sample

To make the SSL handshake work for the artifact binding I had to put/trust the CA certificate for the IDP in the java keystore used by the keyManager.

I would rather have used the cacerts on the jre in case the IDP changed CA, but I haven't been able to find any property to set so that Spring SAML looks inside that instead.

Also this answer suggest that the cacert is ignored altogheter: Spring Security SAML - HTTPS connections

Why is the cacert ignored in Spring SAML? This seems like a deficiency for me.

I have checked that the CA for the IDP is in the cacert file for my jre. If i remove the beans related to TLS/socket factory from the config it still fails.


回答1:


Yes, cacerts is ignored. Spring SAML uses custom implementations for handling of trust, with an intention of providing more control over the system's security. You can always quite easily copy over all certificates from cacerts to samlKeystore.




回答2:


Your custom certificate/JDK default certificate must have IDPs certicate imported as trust . Your custom certificate used in JKS manager must have at-least one private key. Please import your trust in JDK_PATH/jre/lib/securitycacerts and try the command wget <your_idp_descriptor_url>



来源:https://stackoverflow.com/questions/36884997/why-is-cacerts-ignored-in-spring-saml

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!