我必须将我正在开发的应用程序集成到我无法控制的现有 SSO 中。
在上一个项目中,我使用的是
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.2.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
和:
<dependency>
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml2-core</artifactId>
<version>1.0.10.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml-dsl-core</artifactId>
<version>1.0.5.RELEASE</version>
</dependency>
其他依赖项。
在中继方生成的元数据文件中,我可以看到:
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
但现在我们决定升级到:
<spring-boot.version> 3.4.0-M3
<spring-security-saml2-core.version> 2.0.0.M31
<spring-security-saml-dsl-core.version> 1.0.5.RELEASE
<spring-security-saml2-service-provider.version> 6.4.0-M4
我已按照 Spring SAML2 文档 i 中所述进行操作。例如:
这是我的安全配置
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(securedEnabled = true)
public class SecurityConfig{
private static final String SAML_METADATA = "/saml/metadata";
@Autowired
PmaLdapValidationHandler pmaLdapValidationHandler;
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.saml2Metadata((saml2) -> saml2.metadataUrl(SAML_METADATA))
.saml2Login(withDefaults()).saml2Logout(withDefaults())
.logout(withDefaults())
.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated());
// @formatter:on
return http.build();
}
}
这是我的应用程序.yml:
logging.level.org.springframework.security: DEBUG
logging.level.org.springframework.security.saml2: DEBUG
spring:
mvc:
view:
prefix: /templates/
suffix: .pug
static-path-pattern: /static/**
security:
saml2:
relyingparty:
registration:
pma_web:
entity-id: "${sso.entity-id}"
signing:
credentials:
- private-key-location: classpath:saml/credentials/rp-private.key
certificate-location: classpath:saml/credentials/rp-certificate.crt
singlelogout:
binding: POST
url: "{baseUrl}/logout/saml2/slo"
assertingparty:
metadata-uri: classpath:saml/${env}/metadata.xml
datasource:
jndi-name: java:jboss/datasources/pma_web
jpa:
hibernate:
ddl-auto: update
properties:
hibernate:
dialect: org.hibernate.dialect.PostgreSQLDialect
pma-cmdb:
pma-keystore-key-alias: pma-jwt-signing-key
pma-keystore-password: pma-jwt-p422w0rd
但现在,这样的属性已经消失了:
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
我几乎尝试了一切来生成这些属性,但现在还不能。
我该怎么办?
我终于找到了方法。
在 SecurityConfig.java 文件中,您必须以这种方式自定义元数据响应解析器:
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(securedEnabled = true)
public class SecurityConfig{
private static final String SAML_METADATA = "/saml/metadata";
@Autowired
PmaLdapValidationHandler pmaLdapValidationHandler;
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
var metadataResolver = new OpenSaml4MetadataResolver();
metadataResolver.setEntityDescriptorCustomizer(edParameters -> {
var spssoDescriptor
= edParameters.getEntityDescriptor().getSPSSODescriptor(SAMLConstants.SAML20P_NS);
spssoDescriptor.setAuthnRequestsSigned(true);
spssoDescriptor.setWantAssertionsSigned(true);
});
var responseResolver
= new RequestMatcherMetadataResponseResolver(relyingPartyRegistrationRepository, metadataResolver);
responseResolver.setRequestMatcher(new AntPathRequestMatcher(SAML_METADATA));
// @formatter:off
http
.saml2Metadata((saml2) -> saml2.metadataResponseResolver(responseResolver))
.saml2Login(withDefaults()).saml2Logout(withDefaults())
.logout(withDefaults())
.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated());
// @formatter:on
return http.build();
}
}
这种方式会产生 SPSSODescriptor 中的属性:
请注意,'.saml2Metadata((saml2) -> saml2.metadataUrl(SAML_METADATA))'行被删除,因为responseResolver覆盖了之前定义的metadataUrl。
另请注意,这并不能确保断言/身份验证得到签名,将来也必须进行配置。
希望有帮助。