具有弹簧安全性的外部SSO

Question

I am working on an application which requires an integration of a proprietary SSO with spring security. The application uses spring boot, and the requirement is that we use the authentication from internal proprietary SSO module and authorization from the existing application. The existing application's authentication system has to be replaced with internal proprietary SSO's authentication module. I went through a few documents and understood that it is possible as the spring is module based.

While working on the application I noticed that we are using FilterRegistrationBean to initialize one filter, and another filter is added to the chain via WebSecurityConfigurerAdapter's configure(HttpSecurity http) method.

Can someone please let me know if this will be treated as two different chains? If so, how are the chains checked for filtering out the details?

Can I just remove the filter we are adding via WebSecurityConfigurerAdapter's configure(HttpSecurity http) method and replace the existing filter that is registered via FilterRegistrationBean with the filter (with highest precedence) from internal proprietary SSO?

Answer 1

OK so we do exactly what you're asking for in one of our systems. We have this working in Spring boot 1 and 2. These are the steps to take.

Create a bean extending AbstractPreAuthenticatedProcessingFilter . Implement getPreAuthenticatedPrincipal and getPreAuthenticatedCredentials to extract the authenticated user and optional credentials (eg a certificate) from your SSO system. Create a FilterRegistrationBean for this filter bean otherwise thanks to spring boot's component scanning it'll end up in the main filter chain as well as the security filter chain.

Create a user details (authorization) service bean implementing AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> . Override loadUserDetails to take your authenticated token and use it to add permissions in the form of GrantedAuthority lists.

In your WebSecurityConfigurerAdapter bean subclass do the following:

1. Inject your subclass of AbstractPreAuthenticatedProcessingFilter and also your subclass of AuthenticationUserDetailsService .

2. Add a class member of type PreAuthenticatedAuthenticationProvider and initialise it with new (it's not a bean).

3. In configure(HttpSecurity) initialise your filter bean with an authentication manager: yourBean.setAuthenticationManager(authenticationManager()) then ensure your filter is included:

http.addFilter(yourBean)
  .authorizeRequests()
    .requestMatchers(...)

4. Override configure(AuthenticationManagerBuilder) and initialise the PreAuthenticatedAuthenticationProvider you created in step (2) with your implementation of the authentication and authorization beans.

    this.preAuthProvider.setPreAuthenticatedUserDetailsService(this.userDetailsService);
    this.preAuthProvider.setThrowExceptionWhenTokenRejected(true);

    authBuilder.authenticationProvider(this.preAuthProvider);

That should be all. Hope that helps.