spring security can't find metadata file on classpath

Question

I finally got SAML SSO working on my application, which is serving as the SP. It's working with generated metadata, but I want to add predefined metadata for production.

I am trying to configure my ExtendedMetadataDelegate bean to see the xml file holding my SP metadata, but I can't figure out where to put the file so that spring will be able to see it.

The spring documentation says: "Store the metadata file as part of your project classpath, e.g. in WEB-INF/classes/metadata/localhost_sp.xml." I tried putting it in that exact location and it couldn't find it. I tried putting it in the same location as my keystore, which is under WEB-INF. It seems to be able to find the keystore just fine, but it can't find the metadata there either.

Interestingly , when I use the FilesystemMetadataProvider configured as below, my windows system can find the file, but my unix server and coworkers on macs can't. When the application starts up on a unix based system, this is the error message: org.opensaml.saml2.metadata.provider.MetadataProviderException: Metadata file '/WEB-INF/blah/filename.xml' does not exist but the application continues on to run just fine and the SSO even works.

/WEB-INF/blah/filename.xml

when I use the ResourceBackedMetadataProvider configured as below, my system won't even compile because it can't find the file. The error is: nested exception is org.opensaml.util.resource.ResourceException: Classpath resource does not exist: filename.xml

I'm assuming that I need to change something on my classpath, but I don't know whether to change the build classpath or the run classpath. I tried adding WEB-INF to the run classpath and that didn't seem to help.

Thanks in advance for any help with this.

Answer 1

They key is '/' in value:

<bean class="org.opensaml.util.resource.ClasspathResource">
                        <constructor-arg value="/metadata/localhost_sp.xml"/>
                    </bean>

Answer 2

The documentation does state: Store the metadata file as part of your project classpath, e.g. in WEB-INF/classes/metadata/localhost_sp.xml.

However, like you, I get classpath errors doing that. I've found that the application consistently picks this up, when I put it in: src/main/resources/metadata/localhost_sp.xml

Here is the error you get if you use WEB-INF/classes/metadata/...

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.opensaml.util.resource.ClasspathResource#537c9fb7' defined in ServletContext resource [/WEB-INF/sec
urityContext.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.opensaml.util.resource.ClasspathResource]
: Constructor threw exception; nested exception is org.opensaml.util.resource.ResourceException: Classpath resource does not exist: /metadata/localhost_sp.xml

For reference, here's the relevant portion of WEB-INF/securityContext.xml that is loading this metadata sp.

<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
        <constructor-arg>
            <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
                <constructor-arg>
                    <bean class="java.util.Timer"/>
                </constructor-arg>
                <constructor-arg>
                    <bean class="org.opensaml.util.resource.ClasspathResource">
                        <constructor-arg value="/metadata/localhost_sp.xml"/>
                    </bean>
                </constructor-arg>
                <property name="parserPool" ref="parserPool"/>
            </bean>
        </constructor-arg>

Overall, I find Spring Security SAML difficult to use/integrate/understand.