[英]External SSO with spring security
I am working on an application which requires an integration of a proprietary SSO with spring security. 我正在开发一个需要集成专有SSO和弹簧安全性的应用程序。 The application uses spring boot, and the requirement is that we use the authentication from internal proprietary SSO module and authorization from the existing application.
该应用程序使用spring boot,要求是我们使用内部专有SSO模块的身份验证和现有应用程序的授权。 The existing application's authentication system has to be replaced with internal proprietary SSO's authentication module.
现有应用程序的身份验证系统必须替换为内部专有SSO的身份验证模块。 I went through a few documents and understood that it is possible as the spring is module based.
我浏览了一些文档,并了解弹簧是基于模块的。
While working on the application I noticed that we are using FilterRegistrationBean to initialize one filter, and another filter is added to the chain via WebSecurityConfigurerAdapter's configure(HttpSecurity http) method. 在处理应用程序时,我注意到我们正在使用FilterRegistrationBean来初始化一个过滤器,并通过WebSecurityConfigurerAdapter的configure(HttpSecurity http)方法将另一个过滤器添加到链中。
Can someone please let me know if this will be treated as two different chains? 有人可以告诉我这是否会被视为两个不同的链条? If so, how are the chains checked for filtering out the details?
如果是这样,检查链是如何筛选出细节的?
Can I just remove the filter we are adding via WebSecurityConfigurerAdapter's configure(HttpSecurity http) method and replace the existing filter that is registered via FilterRegistrationBean with the filter (with highest precedence) from internal proprietary SSO? 我可以通过WebSecurityConfigurerAdapter的configure(HttpSecurity http)方法删除我们添加的过滤器,并将通过FilterRegistrationBean注册的现有过滤器替换为内部专有SSO的过滤器(具有最高优先级)吗?
OK so we do exactly what you're asking for in one of our systems. 好的,所以我们在我们的一个系统中完全按照您的要求行事。 We have this working in Spring boot 1 and 2. These are the steps to take.
我们在Spring boot 1和2中使用它。这些是要采取的步骤。
Create a bean extending AbstractPreAuthenticatedProcessingFilter
. 创建一个扩展
AbstractPreAuthenticatedProcessingFilter
的bean。 Implement getPreAuthenticatedPrincipal
and getPreAuthenticatedCredentials
to extract the authenticated user and optional credentials (eg a certificate) from your SSO system. 实施
getPreAuthenticatedPrincipal
和getPreAuthenticatedCredentials
以从SSO系统中提取经过身份验证的用户和可选凭据(例如证书)。 Create a FilterRegistrationBean
for this filter bean otherwise thanks to spring boot's component scanning it'll end up in the main filter chain as well as the security filter chain. 为此过滤器bean创建一个
FilterRegistrationBean
,否则,由于spring boot的组件扫描,它将最终进入主过滤器链以及安全过滤器链。
Create a user details (authorization) service bean implementing AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken>
. 创建实现
AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken>
的用户详细信息(授权)服务bean。 Override loadUserDetails
to take your authenticated token and use it to add permissions in the form of GrantedAuthority
lists. 覆盖
loadUserDetails
以获取经过身份验证的令牌,并使用它以GrantedAuthority
列表的形式添加权限。
In your WebSecurityConfigurerAdapter
bean subclass do the following: 在
WebSecurityConfigurerAdapter
bean子类中,执行以下操作:
Inject your subclass of AbstractPreAuthenticatedProcessingFilter
and also your subclass of AuthenticationUserDetailsService
. 注入
AbstractPreAuthenticatedProcessingFilter
的子类以及AuthenticationUserDetailsService
的子类。
Add a class member of type PreAuthenticatedAuthenticationProvider
and initialise it with new
(it's not a bean). 添加类型为
PreAuthenticatedAuthenticationProvider
的类成员,并使用new
(它不是bean)初始化它。
In configure(HttpSecurity)
initialise your filter bean with an authentication manager: yourBean.setAuthenticationManager(authenticationManager())
then ensure your filter is included: 在
configure(HttpSecurity)
使用身份验证管理器初始化过滤器bean: yourBean.setAuthenticationManager(authenticationManager())
然后确保包含过滤器:
http.addFilter(yourBean)
.authorizeRequests()
.requestMatchers(...)
configure(AuthenticationManagerBuilder)
and initialise the PreAuthenticatedAuthenticationProvider
you created in step (2) with your implementation of the authentication and authorization beans. configure(AuthenticationManagerBuilder)
并使用您的身份验证和授权bean的实现初始化您在步骤(2)中创建的PreAuthenticatedAuthenticationProvider
。 this.preAuthProvider.setPreAuthenticatedUserDetailsService(this.userDetailsService);
this.preAuthProvider.setThrowExceptionWhenTokenRejected(true);
authBuilder.authenticationProvider(this.preAuthProvider);
That should be all. 这应该是全部。 Hope that helps.
希望有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.