java - Spring 安全 SAML OpenAM

Question

我正在尝试使用带有 angular2 的前端和带有 Spring Boot 的 REST 后端来开发 Web 应用程序。

我需要管理 3 种类型的身份验证:
- 对数据库进行基本登录/密码匹配
- LDAP认证
- sso 认证

当用户通过身份验证时，后端会生成一个 JWT 并发送给前端。所有请求都必须在 header 中包含 jwt 才能与 REST 通信。

此时我的网络安全配置是:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableTransactionManagement
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    private static final String LDAP_AUTHENTIFICATION = "ldap";
    private static final String SSO_AUTHENTIFICATION = "sso";

    @Autowired
    private DataBaseAuthentificationProvider authProvider;

    @Value("${ldap.provider.url}")
    private String ldapProviderUrl;

    @Value("${ldap.user.dn.patterns}")
    private String userDnPatterns;

    @Value("${authentification.type}")
    private String authentificationType;

    public WebSecurityConfiguration() {
        /*
         * Ignores the default configuration, useless in our case (session
         * management, etc..)
         */
        super(true);
    }

    /**
     * Configure AuthenticationManagerBuilder to use the specified
     * DetailsService.
     * 
     * @param auth
     *            the {@link AuthenticationManagerBuilder} to use
     * @throws Exception
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        if (StringUtils.equals(authentificationType, LDAP_AUTHENTIFICATION)) { // LDAP
            auth.ldapAuthentication().userDnPatterns(userDnPatterns).contextSource().url(ldapProviderUrl);
        } else if (StringUtils.equals(authentificationType, SSO_AUTHENTIFICATION)) { // SSO

        } else { // Database
            auth.authenticationProvider(authProvider);
        }

    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        /*
         * Overloaded to expose Authenticationmanager's bean created by
         * configure(AuthenticationManagerBuilder). This bean is used by the
         * AuthenticationController.
         */
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {

        /*
         * the secret key used to signe the JWT token is known exclusively by
         * the server. With Nimbus JOSE implementation, it must be at least 256
         * characters longs.
         */
        String secret = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("secret.key"),
                Charset.defaultCharset());

        httpSecurity.addFilterAfter(jwtTokenAuthenticationFilter("/**", secret), ExceptionTranslationFilter.class)
                .addFilterBefore(new SimpleCORSFilter(), CorsFilter.class)
                /*
                 * Exception management is handled by the
                 * authenticationEntryPoint (for exceptions related to
                 * authentications) and by the AccessDeniedHandler (for
                 * exceptions related to access rights)
                 */
                .exceptionHandling().authenticationEntryPoint(new SecurityAuthenticationEntryPoint())
                .accessDeniedHandler(new RestAccessDeniedHandler()).and()
                /*
                 * anonymous() consider no authentication as being anonymous
                 * instead of null in the security context.
                 */
                .anonymous().and()
                /* No Http session is used to get the security context */
                .sessionManagement().sessionCreationPolicy(STATELESS).and().authorizeRequests()
                /*
                 * All access to the authentication service are permitted
                 * without authentication (actually as anonymous)
                 */
                .antMatchers("/auth/**").permitAll()
                /*
                 * All the other requests need an authentication. Role access is
                 * done on Methods using annotations like @PreAuthorize
                 */
                .anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf()
                .csrfTokenRepository(csrfTokenRepository()).disable();
    }

    private CsrfTokenRepository csrfTokenRepository() {
        HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
        repository.setHeaderName("X-XSRF-TOKEN"); // this is the name angular
        // uses by default.
        return repository;
    }

    private JwtTokenAuthenticationFilter jwtTokenAuthenticationFilter(String path, String secret) {
        return new JwtTokenAuthenticationFilter(path, secret);
    }

关键点是 SSO :

我想要的行为如下:

客户端请求 protected REST 资源:

如果用户已经被 OpenAM 登录 => 返回请求的资源

如果用户尚未登录 => 用户被重定向到 OpenAM 并提供其
凭证 => 用户可以访问资源

首先，我在虚拟机上安装了 OpenAM，创建了一个 SAMLv2 Providers 并获取了我的 idp.xml。

我尝试使用 https://github.com/vdenotaris/spring-boot-security-saml-sample添加 sso 身份验证但失败。

有没有人可以给我一些步骤，以便将其集成到我的网络安全配置中？

谢谢!

Answer 1

我会坚持使用 JWT，而不是 SAML，它增加了复杂性而没有任何好处，有很多示例如何使用 JWT 保护 REST 服务，并且 openam 支持提供 JWT token 的 OIDC。
一些有用的链接:
OpenAM spring security integration
Springboot OIDC OpenAM