JWT 同一路径回退到 SAML2 的身份验证
[英]JWT authentication with fallback to SAML2 for the same path
问题描述
I'm using spring-security-saml2-service-provider for authentication in one of my spring boot applications and I'm using a custom JwtAuthorizationFilter (via a http Authentication header) in a different spring boot application.
我在我的 spring 启动应用程序之一中使用spring-security-saml2-service-provider进行身份验证,并且在另一个 spring 启动应用程序中使用自定义JwtAuthorizationFilter (通过 http 身份验证标头)。
They both work perfectly on their own.他们俩都可以完美地独立工作。
Now I need to write a spring boot application that uses both of them.现在我需要编写一个 spring 启动应用程序,同时使用它们。 If the JWT token is available (Authentication header), then use the JwtAuthorizationFilter , otherwise use saml2Login .如果 JWT 令牌可用(身份验证标头),则使用JwtAuthorizationFilter ,否则使用saml2Login 。
The SAML2 configuration looks like this: (There is no filter , just the saml2Login ) SAML2配置如下所示:(没有过滤器,只有saml2Login )
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
.antMatcher("/**").authorizeRequests()
.antMatchers("/saml2/service-provider-metadata/**").permitAll()
.antMatchers("/**").authenticated().and()
// use SAML2
.saml2Login()
.addObjectPostProcessor(new ObjectPostProcessor<OpenSamlAuthenticationProvider>() {
public <O extends OpenSamlAuthenticationProvider> O postProcess(O samlAuthProvider) {
samlAuthProvider.setAuthoritiesExtractor(authoritiesExtractor());
samlAuthProvider.setAuthoritiesMapper(authoritiesMapper());
return samlAuthProvider;
}
})
;
}
The JWT configuration looks like this: JWT配置如下所示:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
.antMatcher("/**").authorizeRequests()
.antMatchers("/**").authenticated().and()
// use JWT
.addFilter(new JwtAuthorizationFilter(authenticationManager(), jwtUtil))
;
}
I think I need something like a JwtOrSaml2AuthenticationFilter but don't know how to do that.我想我需要类似JwtOrSaml2AuthenticationFilter的东西,但不知道该怎么做。
1 个解决方案
解决方案1
1 已采纳 2020-04-25 09:32:54
The solution is to解决办法是
- Duplicate the configuration with @Order and使用@Order 和复制配置
Set a header based requestMatcher before the addFilter
在 addFilter 之前设置一个基于 header 的 requestMatcher@EnableWebSecurity public class SecurityConfiguration { @Order(100) // lower number = higher priority @Configuration @RequiredArgsConstructor public static class AppSecurityJWT extends WebSecurityConfigurerAdapter { final JWTUtil jwtUtil; @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and().antMatcher("/**").authorizeRequests().antMatchers("/saml2/service-provider-metadata/**", "/idm-app/**").permitAll().antMatchers("/**").authenticated().and() // This configuration will only be active if the Authorization header is present in the request.requestMatcher(new RequestHeaderRequestMatcher("Authorization")).addFilter(new JwtAuthorizationFilter(authenticationManager(), jwtUtil)); } } @Order(101) @Configuration @RequiredArgsConstructor public static class AppSecuritySAML2 extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and().antMatcher("/**").authorizeRequests().antMatchers("/saml2/service-provider-metadata/**", "/idm-app/**").permitAll().antMatchers("/**").authenticated().and() // This whole configuration will only be active, if the previous (100) didn't match.saml2Login() //... ; } }
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.