Spring security Azure AD SAML身份验证与Spring Security 5.3.2(非SAML扩展)
我正在尝试替换为中的。我的SpringSecurity版本是5.3.2。弹簧靴是2.3.0 文档很难找到。我想这可以用一个例子来解释。我找到并尝试了上面提到的解决方法,但是我的断点没有被击中 考虑到从SAML扩展到Spring安全性转换的当前状态,我应该使用旧的SAML扩展吗?我可以使用JSESSIONID和SAMLReponse到达我的“成功”端点,但它是加密的。这是我需要自己做的事吗?(如果是,如何设置?)未设置SecurityContext/用户详细信息。我在日志中看到AccessDenied堆栈跟踪,但我认为这是匿名用户上下文的症状 相关代码如下。我有application.yml和application.properties文件,但所有配置都是基于注释的。如果你在基地外看到什么,请告诉我!任何指导都将不胜感激 这是我的安全配置:Spring security Azure AD SAML身份验证与Spring Security 5.3.2(非SAML扩展),spring-security,spring-oauth2,Spring Security,Spring Oauth2,我正在尝试替换为中的。我的SpringSecurity版本是5.3.2。弹簧靴是2.3.0 文档很难找到。我想这可以用一个例子来解释。我找到并尝试了上面提到的解决方法,但是我的断点没有被击中 考虑到从SAML扩展到Spring安全性转换的当前状态,我应该使用旧的SAML扩展吗?我可以使用JSESSIONID和SAMLReponse到达我的“成功”端点,但它是加密的。这是我需要自己做的事吗?(如果是,如何设置?)未设置SecurityContext/用户详细信息。我在日志中看到AccessDeni
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
RelyingPartyRegistration getSaml2AuthenticationConfiguration() throws Exception {
// remote IDP entity ID
String idpEntityId = "https://sts.windows.net/xxxxxxxxxxxx/";
// remote WebSSO Endpoint - Where to Send AuthNRequests to
String webSsoEndpoint = "https://login.microsoftonline.com/xxxxxxxxxxxx/saml2";
// local registration ID
String registrationId = "xxxxxxxxxxxx";
// local entity ID - autogenerated based on URL
String localEntityIdTemplate = "xxxxxxxxxxxx.local";
// local signing (and decryption key)
Saml2X509Credential signingCredential = getSigningCredential(); //private method not included
// IDP certificate for verification of incoming messages
Saml2X509Credential idpVerificationCertificate = getVerificationCertificate(); //private method not included
String acsUrlTemplate = "https://xxxxxxxxxxxx.local/success"; //REST endpoint, see below
return RelyingPartyRegistration.withRegistrationId(registrationId)
.providerDetails(config -> config.entityId(idpEntityId))
.providerDetails(config -> config.webSsoUrl(webSsoEndpoint)).credentials(c -> c.add(signingCredential))
.credentials(c -> c.add(idpVerificationCertificate)).localEntityIdTemplate(localEntityIdTemplate)
.assertionConsumerServiceUrlTemplate(acsUrlTemplate).build();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// Just a test
OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
http
.headers()
.frameOptions()
.sameOrigin()
.httpStrictTransportSecurity()
.disable()
.and()
.authorizeRequests()
//... more antMatchers and permitAlls
.antMatchers("/success").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/logout").permitAll()
.antMatchers("/error").permitAll().anyRequest().authenticated().and()
.csrf().disable()
.saml2Login(
saml2 -> {
try {
saml2
.authenticationManager(a -> {
// This code is never reached
Authentication result = provider.authenticate(a);
Saml2Authentication saml2Authentication = (Saml2Authentication) result;
return result;
}).relyingPartyRegistrationRepository(
new InMemoryRelyingPartyRegistrationRepository(getSaml2AuthenticationConfiguration())
)
.loginProcessingUrl("/login/{registrationId}");
} catch (Exception e) {
// It made me put this try/catch here... this isn't getting reached either
e.printStackTrace();
}
});
}
}
我的休息时间:
@RestController
public class HelloController {
@RequestMapping(value = "/success", method=RequestMethod.POST)
public String saml2Post(HttpServletRequest request) throws IOException {
String jSessionId = request.getHeader("cookie");
System.out.println(jSessionId);
String samlResponse = request.getReader().lines().collect(Collectors.joining(System.lineSeparator()));
System.out.println(samlResponse);
return "login success";
}
}
和我的gradle依赖项(gradle 6.5):
您能否将其组合到GitHub示例中?我很乐意在本地运行它,看看它在哪里被阻塞了。另外,你提到它是加密的,但是我在您的RelyingPartyRegistration中没有看到解密密钥。旁注:DSL要求您捕获异常的原因是因为您的
getSaml2AuthenticationConfiguration
方法抛出exception
。我将您的SecurityConfig添加到Spring Security saml2login示例中,并将其推到我的fork中。这与您的场景并不完全相同,但可能是我们可以重复使用的内容:我想知道getSaml2AuthenticationConfiguration
是否引发异常,这就是身份验证管理器无法连接的原因。您能将其组合到GitHub示例中吗?我很乐意在本地运行它,看看它在哪里被阻塞了。另外,你提到它是加密的,但是我在您的RelyingPartyRegistration中没有看到解密密钥。旁注:DSL要求您捕获异常的原因是因为您的getSaml2AuthenticationConfiguration
方法抛出exception
。我将您的SecurityConfig添加到Spring Security saml2login示例中,并将其推到我的fork中。这与您的场景并不完全相同,但可能是我们可以重复使用的内容:我想知道getSaml2AuthenticationConfiguration
是否引发异常,这就是身份验证管理器没有连接的原因。
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-security'
compile 'org.springframework.security:spring-security-config'
compile 'org.springframework.security:spring-security-saml2-service-provider'
compile 'org.springframework.boot:spring-boot-starter-thymeleaf'
compile 'org.springframework.boot:spring-boot-starter-web'
compile 'org.thymeleaf.extras:thymeleaf-extras-springsecurity5'
implementation 'org.springframework.boot:spring-boot-starter-freemarker'
implementation 'org.springframework.boot:spring-boot-starter-integration'
implementation 'org.springframework.boot:spring-boot-starter-jdbc'
implementation 'org.springframework.boot:spring-boot-starter-mail'
compile 'org.springframework.security:spring-security-oauth2-client'
compile 'org.springframework.security:spring-security-oauth2-jose'
implementation 'joda-time:joda-time:2.10.6'
implementation 'com.google.guava:guava:29.0-jre'
implementation 'com.opencsv:opencsv:5.2'
implementation 'org.apache.commons:commons-lang3:3.10'
implementation 'net.minidev:json-smart:2.3'
developmentOnly 'org.springframework.boot:spring-boot-devtools'
runtimeOnly 'com.microsoft.sqlserver:mssql-jdbc'
runtimeOnly 'org.hsqldb:hsqldb'
providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat'
testImplementation('org.springframework.boot:spring-boot-starter-test') {
exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
}
testImplementation 'org.springframework.integration:spring-integration-test'
testImplementation 'org.springframework.security:spring-security-test'
}