stackoom
  简体   繁体   中英

External SSO with spring security

 原文  2019-05-20 23:18:17       java/ spring/ spring-boot/ spring-security

Question

I am working on an application which requires an integration of a proprietary SSO with spring security. The application uses spring boot, and the requirement is that we use the authentication from internal proprietary SSO module and authorization from the existing application. The existing application's authentication system has to be replaced with internal proprietary SSO's authentication module. I went through a few documents and understood that it is possible as the spring is module based.

While working on the application I noticed that we are using FilterRegistrationBean to initialize one filter, and another filter is added to the chain via WebSecurityConfigurerAdapter's configure(HttpSecurity http) method.

Can someone please let me know if this will be treated as two different chains? If so, how are the chains checked for filtering out the details?

Can I just remove the filter we are adding via WebSecurityConfigurerAdapter's configure(HttpSecurity http) method and replace the existing filter that is registered via FilterRegistrationBean with the filter (with highest precedence) from internal proprietary SSO?

1 answers

solution1
 0  2019-05-21 09:01:55

OK so we do exactly what you're asking for in one of our systems. We have this working in Spring boot 1 and 2. These are the steps to take.

Create a bean extending AbstractPreAuthenticatedProcessingFilter . Implement getPreAuthenticatedPrincipal and getPreAuthenticatedCredentials to extract the authenticated user and optional credentials (eg a certificate) from your SSO system. Create a FilterRegistrationBean for this filter bean otherwise thanks to spring boot's component scanning it'll end up in the main filter chain as well as the security filter chain.

Create a user details (authorization) service bean implementing AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> . Override loadUserDetails to take your authenticated token and use it to add permissions in the form of GrantedAuthority lists.

In your WebSecurityConfigurerAdapter bean subclass do the following:

  1. Inject your subclass of AbstractPreAuthenticatedProcessingFilter and also your subclass of AuthenticationUserDetailsService .

  2. Add a class member of type PreAuthenticatedAuthenticationProvider and initialise it with new (it's not a bean).

  3. In configure(HttpSecurity) initialise your filter bean with an authentication manager: yourBean.setAuthenticationManager(authenticationManager()) then ensure your filter is included: 

http.addFilter(yourBean)
  .authorizeRequests()
    .requestMatchers(...)
  1. Override configure(AuthenticationManagerBuilder) and initialise the PreAuthenticatedAuthenticationProvider you created in step (2) with your implementation of the authentication and authorization beans. 
    this.preAuthProvider.setPreAuthenticatedUserDetailsService(this.userDetailsService);
    this.preAuthProvider.setThrowExceptionWhenTokenRejected(true);

    authBuilder.authenticationProvider(this.preAuthProvider);

That should be all. Hope that helps.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Security SSO SSO Spring Security and JSF siteminder sso and spring security testing Spring Security + CAS SSO AuthenticationManager Spring security : handling SSO and DB users Spring Security - caching credentials from SSO Spring security - implement oauth2 sso Single Sign On(SSO) using SAML with Spring Security Implement SSO using CAS + Spring Security SSO authentication combining Kerberos, ADFS and Spring Security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM