基于SAML断言的授权SAML2认证
基于SAML断言的授权SAML2认证
提问于 2021-12-13 17:01:38
我正在使用spring-security-saml2-service-provider来验证我的SpringBoot IdP应用程序对SAML IdP的身份验证--这很有效。我还可以使用@AuthenticationPrincipal Saml2AuthenticatedPrincipal principal访问restrict中的SAML断言,但我想要做的是使用Saml2AuthenticatedPrincipal主体中断言中的值限制url的访问--这是SAML联邦中释放eduPersonEntitlement值并基于此决定访问的一种常见方法。有人做过这个吗?我对这方面的所有研究/试验都没有结果。到目前为止,我的情况如下:
@EnableWebSecurity
public class SAMLSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
protected void configure(HttpSecurity http) throws Exception {
RelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(relyingPartyRegistrationResolver, new OpenSamlMetadataResolver());
http
.saml2Login(withDefaults())
.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class).antMatcher("/**")
.authorizeRequests()
.anyRequest().authenticated();
}
}我认为我需要用一些可能与角色有关的东西来替换authenticated(),并且在用户登录时以某种方式为他们设置角色,但这与此毫无关系。有什么想法吗?
Stack Overflow用户
发布于 2021-12-15 12:54:12
好的,明白了,working....you需要用一个新的定制器定制saml2Login -替换withDefaults()方法(下面的Saml2LoginSettings):
SAMLSecurityconfig.java:
@EnableWebSecurity
public class SAMLSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
@Autowired
Saml2LoginSettings settings;
protected void configure(HttpSecurity http) throws Exception {
RelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(relyingPartyRegistrationResolver, new OpenSamlMetadataResolver());
http
.saml2Login(settings)
.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class).antMatcher("/**") //
.authorizeRequests()
.antMatchers("/attributes").hasAuthority("ADMIN")
.anyRequest().authenticated();使用Saml2LoginSettings.java:
@Component
class Saml2LoginSettings implements Customizer <Saml2LoginConfigurer<HttpSecurity>> {
@Override
public void customize(Saml2LoginConfigurer<HttpSecurity> t) {
t.successHandler(new SavedRequestAwareAuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
authentication = assignAuthorities (authentication, request);
super.onAuthenticationSuccess(request, response, authentication);
}
});
}分配权限有点麻烦,但这是可行的:
private Authentication assignAuthorities (Authentication authentication, HttpServletRequest request) {
Collection<SimpleGrantedAuthority> oldAuthorities = (Collection<SimpleGrantedAuthority>)SecurityContextHolder.getContext()
.getAuthentication().getAuthorities();
DefaultSaml2AuthenticatedPrincipal princ = (DefaultSaml2AuthenticatedPrincipal) authentication.getPrincipal();
if (princ.getAttribute("urn:oid:1.3.6.1.4.1.5923.1.1.1.7").contains("urn:mace:dir:entitlement:common-lib-terms")) {
List<SimpleGrantedAuthority> updatedAuthorities = new ArrayList<SimpleGrantedAuthority>();
updatedAuthorities.addAll(oldAuthorities);
updatedAuthorities.add(new SimpleGrantedAuthority("ADMIN"));
Saml2Authentication sAuth = (Saml2Authentication) authentication;
sAuth = new Saml2Authentication(
(AuthenticatedPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal(),
sAuth.getSaml2Response(),
updatedAuthorities
);
SecurityContextHolder.getContext().setAuthentication(sAuth);
return sAuth;
}
else
return authentication;
}样本代码这里
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/70338287
复制相关文章
相似问题
腾讯云开发者
