gpt4 book ai didi

java - Spring 安全 SAML OpenAM

转载 作者:行者123 更新时间:2023-12-03 09:43:08 27 4
gpt4 key购买 nike

我正在尝试使用带有 angular2 的前端和带有 Spring Boot 的 REST 后端来开发 Web 应用程序。

我需要管理 3 种类型的身份验证:
- 对数据库进行基本登录/密码匹配
- LDAP认证
- sso 认证

当用户通过身份验证时,后端会生成一个 JWT 并发送给前端。所有请求都必须在 header 中包含 jwt 才能与 REST 通信。

此时我的网络安全配置是:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableTransactionManagement
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

private static final String LDAP_AUTHENTIFICATION = "ldap";
private static final String SSO_AUTHENTIFICATION = "sso";

@Autowired
private DataBaseAuthentificationProvider authProvider;

@Value("${ldap.provider.url}")
private String ldapProviderUrl;

@Value("${ldap.user.dn.patterns}")
private String userDnPatterns;

@Value("${authentification.type}")
private String authentificationType;

public WebSecurityConfiguration() {
/*
* Ignores the default configuration, useless in our case (session
* management, etc..)
*/
super(true);
}

/**
* Configure AuthenticationManagerBuilder to use the specified
* DetailsService.
*
* @param auth
* the {@link AuthenticationManagerBuilder} to use
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

if (StringUtils.equals(authentificationType, LDAP_AUTHENTIFICATION)) { // LDAP
auth.ldapAuthentication().userDnPatterns(userDnPatterns).contextSource().url(ldapProviderUrl);
} else if (StringUtils.equals(authentificationType, SSO_AUTHENTIFICATION)) { // SSO

} else { // Database
auth.authenticationProvider(authProvider);
}

}

@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
/*
* Overloaded to expose Authenticationmanager's bean created by
* configure(AuthenticationManagerBuilder). This bean is used by the
* AuthenticationController.
*/
return super.authenticationManagerBean();
}

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {

/*
* the secret key used to signe the JWT token is known exclusively by
* the server. With Nimbus JOSE implementation, it must be at least 256
* characters longs.
*/
String secret = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("secret.key"),
Charset.defaultCharset());

httpSecurity.addFilterAfter(jwtTokenAuthenticationFilter("/**", secret), ExceptionTranslationFilter.class)
.addFilterBefore(new SimpleCORSFilter(), CorsFilter.class)
/*
* Exception management is handled by the
* authenticationEntryPoint (for exceptions related to
* authentications) and by the AccessDeniedHandler (for
* exceptions related to access rights)
*/
.exceptionHandling().authenticationEntryPoint(new SecurityAuthenticationEntryPoint())
.accessDeniedHandler(new RestAccessDeniedHandler()).and()
/*
* anonymous() consider no authentication as being anonymous
* instead of null in the security context.
*/
.anonymous().and()
/* No Http session is used to get the security context */
.sessionManagement().sessionCreationPolicy(STATELESS).and().authorizeRequests()
/*
* All access to the authentication service are permitted
* without authentication (actually as anonymous)
*/
.antMatchers("/auth/**").permitAll()
/*
* All the other requests need an authentication. Role access is
* done on Methods using annotations like @PreAuthorize
*/
.anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf()
.csrfTokenRepository(csrfTokenRepository()).disable();
}

private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN"); // this is the name angular
// uses by default.
return repository;
}

private JwtTokenAuthenticationFilter jwtTokenAuthenticationFilter(String path, String secret) {
return new JwtTokenAuthenticationFilter(path, secret);
}

关键点是 SSO :

我想要的行为如下:

客户端请求 protected REST 资源:
  • 如果用户已经被 OpenAM 登录 => 返回请求的资源
  • 如果用户尚未登录 => 用户被重定向到 OpenAM 并提供其
    凭证 => 用户可以访问资源

  • 首先,我在虚拟机上安装了 OpenAM,创建了一个 SAMLv2 Providers 并获取了我的 idp.xml。

    我尝试使用 https://github.com/vdenotaris/spring-boot-security-saml-sample添加 sso 身份验证但失败。

    有没有人可以给我一些步骤,以便将其集成到我的网络安全配置中?

    谢谢!

    最佳答案

    我会坚持使用 JWT,而不是 SAML,它增加了复杂性而没有任何好处,有很多示例如何使用 JWT 保护 REST 服务,并且 openam 支持提供 JWT token 的 OIDC。
    一些有用的链接:
    OpenAM spring security integration
    Springboot OIDC OpenAM

    关于java - Spring 安全 SAML OpenAM,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/39898770/

    27 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com