[英]Spring security SAML OpenAM
I'm trying to develop a web application using a frontend with angular2 and a REST backend with spring boot.我正在尝试使用带有 angular2 的前端和带有 Spring Boot 的 REST 后端来开发 Web 应用程序。
I need to manage with 3 types of authentification : - basic login/password matching againts database - ldap authentification - sso authentification我需要使用 3 种类型的身份验证进行管理: - 基本登录名/密码匹配对 ts 数据库 - ldap 身份验证 - sso 身份验证
When user is authenticated, a JWT is generated by backend and send to frontend.当用户通过身份验证时,后端会生成一个 JWT 并发送给前端。 All requests must contain jwt in the header to communicate with REST.
所有请求都必须在标头中包含 jwt 才能与 REST 通信。
At this time my websecurity config is :此时我的网络安全配置是:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableTransactionManagement
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
private static final String LDAP_AUTHENTIFICATION = "ldap";
private static final String SSO_AUTHENTIFICATION = "sso";
@Autowired
private DataBaseAuthentificationProvider authProvider;
@Value("${ldap.provider.url}")
private String ldapProviderUrl;
@Value("${ldap.user.dn.patterns}")
private String userDnPatterns;
@Value("${authentification.type}")
private String authentificationType;
public WebSecurityConfiguration() {
/*
* Ignores the default configuration, useless in our case (session
* management, etc..)
*/
super(true);
}
/**
* Configure AuthenticationManagerBuilder to use the specified
* DetailsService.
*
* @param auth
* the {@link AuthenticationManagerBuilder} to use
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
if (StringUtils.equals(authentificationType, LDAP_AUTHENTIFICATION)) { // LDAP
auth.ldapAuthentication().userDnPatterns(userDnPatterns).contextSource().url(ldapProviderUrl);
} else if (StringUtils.equals(authentificationType, SSO_AUTHENTIFICATION)) { // SSO
} else { // Database
auth.authenticationProvider(authProvider);
}
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
/*
* Overloaded to expose Authenticationmanager's bean created by
* configure(AuthenticationManagerBuilder). This bean is used by the
* AuthenticationController.
*/
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
/*
* the secret key used to signe the JWT token is known exclusively by
* the server. With Nimbus JOSE implementation, it must be at least 256
* characters longs.
*/
String secret = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("secret.key"),
Charset.defaultCharset());
httpSecurity.addFilterAfter(jwtTokenAuthenticationFilter("/**", secret), ExceptionTranslationFilter.class)
.addFilterBefore(new SimpleCORSFilter(), CorsFilter.class)
/*
* Exception management is handled by the
* authenticationEntryPoint (for exceptions related to
* authentications) and by the AccessDeniedHandler (for
* exceptions related to access rights)
*/
.exceptionHandling().authenticationEntryPoint(new SecurityAuthenticationEntryPoint())
.accessDeniedHandler(new RestAccessDeniedHandler()).and()
/*
* anonymous() consider no authentication as being anonymous
* instead of null in the security context.
*/
.anonymous().and()
/* No Http session is used to get the security context */
.sessionManagement().sessionCreationPolicy(STATELESS).and().authorizeRequests()
/*
* All access to the authentication service are permitted
* without authentication (actually as anonymous)
*/
.antMatchers("/auth/**").permitAll()
/*
* All the other requests need an authentication. Role access is
* done on Methods using annotations like @PreAuthorize
*/
.anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf()
.csrfTokenRepository(csrfTokenRepository()).disable();
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN"); // this is the name angular
// uses by default.
return repository;
}
private JwtTokenAuthenticationFilter jwtTokenAuthenticationFilter(String path, String secret) {
return new JwtTokenAuthenticationFilter(path, secret);
}
Critical point is SSO :关键点是 SSO :
The behaviour I would like is the following :我想要的行为如下:
Client asks for a protected REST resource:客户端请求受保护的 REST 资源:
First, I intalled OpenAM on a virtual machine, created a SAMLv2 Providers and get my idp.xml.首先,我在虚拟机上安装了 OpenAM,创建了一个 SAMLv2 Providers 并获取了我的 idp.xml。
I try to use https://github.com/vdenotaris/spring-boot-security-saml-sample to add sso authentification but it fails.我尝试使用https://github.com/vdenotaris/spring-boot-security-saml-sample添加 sso 身份验证但失败了。
Does anyone can give to me the steps in order to integrate this in my websecurity config ?有没有人可以给我一些步骤,以便将其集成到我的网络安全配置中?
Thanks!谢谢!
I would stick to using JWT, and not SAML, its adds complexity for no benefits, there are plenty of examples how to protect a REST service using JWT, and openam supports OIDC which provides JWT tokens.我会坚持使用 JWT,而不是 SAML,它增加了复杂性而没有任何好处,有很多示例如何使用 JWT 保护 REST 服务,并且 openam 支持提供 JWT 令牌的 OIDC。
Some usefull links:一些有用的链接:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.