Spring Security SAML实现
[英]Spring Security SAML Implementation
问题描述
I am starting with new Spring project where i am planning to use SSO. 
我开始使用新的Spring项目,我计划使用SSO。 I have red the blogs and come to know spring security SAML will be best solution for SP. 我有红色的博客,并了解Spring安全SAML将是SP的最佳解决方案。
So i have implemented Spring Security SAML sample application provided by spring site https://github.com/SpringSource/spring-security-saml as SP along with Shibboleth IDP. 所以我已经实现了Spring网站https://github.com/SpringSource/spring-security-saml提供的Spring Security SAML示例应用程序作为SP以及Shibboleth IDP。
IDP connects with LDAP server. IDP与LDAP服务器连接。 I am able to execute the Spring security sample application. 我能够执行Spring安全性示例应用程序。
I am confused how can i use this Spring security SAML extension along with multiple spring projects. 我很困惑如何使用这个Spring安全SAML扩展以及多个spring项目。
Any example link or suggestions on architecturing the Spring SAML project integration with multiple Spring MVC application will be helpful. 有关构建Spring SAML项目与多个Spring MVC应用程序集成的任何示例链接或建议都会有所帮助。
1 个解决方案
解决方案1
9 已采纳 2014-09-24 09:03:35
Provided your REST APIs are only called by the web application which is deployed together with them (in a single war and therefore sharing the same HTTP session) you can use Spring SAML + Spring Security to secure them. 如果您的REST API仅由与它们一起部署的Web应用程序调用(在单个战争中并因此共享相同的HTTP会话),您可以使用Spring SAML + Spring Security来保护它们。
Spring SAML will be used to authenticate the users against a remote IDP and populate their entitlements (granted authorities); Spring SAML将用于根据远程IDP对用户进行身份验证并填充其权利(授予权限); Spring Security can then be used to define security policies for the APIs called from the UI. 然后,可以使用Spring Security为从UI调用的API定义安全策略。
In case you want to be able to call the REST APIs from remote clients, you may want to look into the Spring Security OAuth project - as this is no longer about web single sign-on. 如果您希望能够从远程客户端调用REST API,您可能需要查看Spring Security OAuth项目 - 因为这不再是关于Web单点登录的。
It is possible to create a central installation of Spring SAML which handles all SSO logic. 可以创建Spring SAML的中央安装,它可以处理所有SSO逻辑。 Of course you will need to implement a mechanism in which Spring SAML relays information about the authenticated user and her attributes to your other applications, and do so in a secure way. 当然,您需要实现一种机制,其中Spring SAML将有关经过身份验证的用户及其属性的信息传递给您的其他应用程序,并以安全的方式执行此操作。 One possible way to approach it (provided the applications are deployed on the same domain and therefore can share cookies) is to: 一种可能的方法(如果应用程序部署在同一个域上,因此可以共享cookie)是:
- after authentication in Spring SAML set a shared cookie which is visible to all the other applications and which is eg signed by the Spring SAML's key, or encrypted using a shared key, the cookie should also contain user's attributes 在Spring SAML中进行身份验证后,设置一个共享cookie,该cookie对所有其他应用程序可见,例如由Spring SAML密钥签名,或使用共享密钥加密,cookie也应包含用户的属性
- this can be done in a custom AuthenticationSuccessHandler which is subsequently expected to redirect user to the correct application (eg based on some custom logic or relay state) 这可以在自定义AuthenticationSuccessHandler中完成,随后可以将用户重定向到正确的应用程序(例如,基于某些自定义逻辑或中继状态)
- the target application needs to verify the cookie (by checking the signature or decrypting using a shared key, possibly performing other checks), parse the attributes and start own session which is pre-authenticated based on the content of the cookie 目标应用程序需要验证cookie(通过检查签名或使用共享密钥解密,可能执行其他检查),解析属性并启动自己的会话,该会话根据cookie的内容进行预先验证
All of this can be done with implementations to standard interfaces of Spring Security and Spring SAML. 所有这些都可以通过Spring Security和Spring SAML的标准接口的实现来完成。 But it's not a trivial task - mainly considering that any security vulnerability in your implementation might compromise security of your applications. 但这不是一项微不足道的任务 - 主要考虑到您的实施中的任何安全漏洞可能会危及您的应用程序的安全性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.