如何修复错误状态400消息无法验证SAML上的响应?
2016-10-06 35
影响版本:4.5.1到4.7.5
修正版本:4.7.6及以上
决议:升级到Artifactory 4.7.6或以上版本
问题:
当您使用SAML登录到Artifactory时,在输入凭据并登录后,您可能会看到以下错误:
{
"errors": [{
"status": 400,
"message":" {"error":"Fail to verify response"}"
})
}
在artifactory日志中,您可能会看到以下内容
2016-05-10 16:05:01,702 [http-nio-8081-exec-4] [WARN] (o.a.x.s.s.XMLSignature:-1) -签名验证失败。
2016-05-10 16:05:01,708 [http-nio-8081- execc -4] [ERROR] (o.a.u.r.s.a.s.s.GetSamlLoginResponseService:29) -验证响应失败
samlexception:验证响应失败
at org.artifactory.addon.sso. samlutils . verifysamlloginresponse (SamlUtils.java:396) ~[artifactory-addon-sso-4.5.1.jar:na]
at org.artifactory.addon.sso. samlhandlerimpl . verifysignature (SamlHandlerImpl.java:211) ~[artifactory-addon-sso-4.5.1.jar:na]
at org.artifactory.addon.sso. samlhandlerimpl . handleloginresponse (SamlHandlerImpl.java:85) ~[artifactory-addon-sso-4.5.1.jar:na]
at org.artifactory.ui.rest.service.admin.security.saml.GetSamlLoginResponseService.execute(GetSamlLoginResponseService.java:27) ~[artifactory-rest-ui-4.5.1.jar:na]
at org.artifactory.rest.common.service.ServiceExecutor.process(ServiceExecutor.java:18) [artifactory-rest-common-4.5.1.jar:na]
at org.artifactory.rest.common.resource.BaseResource.runService(BaseResource.java:107) [artifactory-rest-common-4.5.1.jar:na]
at org.artifactory.ui.rest.resource.admin.security. samloginlogoutresource . loginresponse (SamLoginLogoutResource.java:40) [artifactory-rest-ui-4.5.1.jar:na]
在sun.reflect.NativeMethodAccessorImpl。invoke0(本机方法)~[na:1.8.0_71]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_71]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_71]
at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_71]
javamethodinvokerfactory $1.invoke(JavaMethodInvokerFactory.java:60) [jersey-server-1.19.jar:1.19]
abstractresourcemethoddispatchprovider $ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:205) [jersey-server-1.19.jar:1.19]
resourcejavamethoddispatcher .dispatch(ResourceJavaMethodDispatcher.java:75) [jersey-server-1.19.jar:1.19]
httpmethodrule .accept(HttpMethodRule.java:302) [jersey-server-1.19.jar:1.19]
(右thandpathrule .java:147) [jersey-server-1.19.jar:1.19]
在com.sun.jersey.server.impl.uri.rules. resourcelassrule .accept(ResourceClassRule.java:108) [jersey-server-1.19.jar:1.19]
(右thandpathrule .java:147) [jersey-server-1.19.jar:1.19]
在com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) [jersey-server-1.19.jar:1.19]
在com.sun.jersey.server. imp.application . webapplicationimp._handlerequest (webapplicationimp.java:1542) [jersey-server-1.19.jar:1.19]
在com.sun.jersey.server. imp.application . webapplicationimp._handlerequest (webapplicationimp.java:1473) [jersey-server-1.19.jar:1.19]
在com.sun.jersey.server. imp.applicationimp.handlerequest (webapplicationimp.java:1419) [jersey-server-1.19.jar:1.19]
handlerequest (WebApplicationImpl.java:1409) [jersey-server-1.19.jar:1.19]
service(WebComponent.java:409) [jersey-servlet-1.19.jar:1.19]
servletcontainer .service(ServletContainer.java:558) [jersey-servlet-1.19.jar:1.19]
servletcontainer .service(ServletContainer.java:733) [jersey-servlet-1.19.jar:1.19]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) [catalina.jar:8.0.22]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.22]
在org.artifactory.webapp.servlet.RepoFilter.execute(RepoFilter.java:198) [artifactory-web-application-4.5.1.jar:na]
在org.artifactory.webapp.servlet.RepoFilter.doFilter(RepoFilter.java:89) [artifactory-web-application-4.5.1.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.22]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.22]
在org.artifactory.webapp.servlet.AccessFilter.useAuthentication(AccessFilter.java:334) [artifactory-web-application-4.5.1.jar:na]
在org.artifactory.webapp.servlet.AccessFilter.useAnonymousIfPossible(AccessFilter.java:309) [artifactory-web-application-4.5.1.jar:na]
在org.artifactory.webapp.servlet.AccessFilter.doFilterInternal(AccessFilter.java:192) [artifactory-web-application-4.5.1.jar:na]
在org.artifactory.webapp.servlet.AccessFilter.doFilter(AccessFilter.java:156) [artifactory-web-application-4.5.1.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.22]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.22]
at org.artifactory.webapp.servlet.RequestFilter.doFilter(RequestFilter.java:65) [artifactory-web-application-4.5.1.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.22]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.22]
在org.artifactory.webapp.servlet.ArtifactoryFilter.doFilter(ArtifactoryFilter.java:109) [artifactoryfilter -web-application-4.5.1.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.22]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.22]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:721) [catalina.jar:8.0.22]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:466) [catalina.jar:8.0.22]
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:391) [catalina.jar:8.0.22]
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:318) [catalina.jar:8.0.22]
at org.artifactory.webapp.servlet.redirection.SamlRedirectionHandler.redirect(SamlRedirectionHandler.java:36) [artifactory-web-application-4.5.1.jar:na]
在org.artifactory.webapp.servlet.ArtifactoryFilter.doFilter(ArtifactoryFilter.java:65) [artifactoryfilter -web-application-4.5.1.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.22]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.22]
在org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:8.0.22]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [catalina.jar:8.0.22]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) [catalina.jar:8.0.22]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [catalina.jar:8.0.22]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [catalina.jar:8.0.22]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) [catalina.jar:8.0.22]
在org.apache.coyote.http11.AbstractHttp11Processor.process(abstractthttp11processor .java:1091) [tomcat-coyote.jar:8.0.22]
$AbstractConnectionHandler.process(AbstractProtocol.java:668) [tomcat-coyote.jar:8.0.22]
$ socketprocess.dorun (NioEndpoint.java:1521) [tomcat-coyote.jar:8.0.22]
$ socketprocess.run (NioEndpoint.java:1478) [tomcat-coyote.jar:8.0.22]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_71]
在java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_71]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.0.22]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_71]
validationexception:签名没有根据凭据的密钥进行验证
@ org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) ~[xmltool -1.3.2.jar:na]
at org.artifactory.addon.sso. samlutils . verifysamlloginresponse (SamlUtils.java:394) ~[artifactory-addon-sso-4.5.1.jar:na]
省略了66个常用帧
