我已经在我的应用程序中配置了spring saml和spring security。我给出了不同的url模式来识别请求。如果我在app URL中附加/rest,那么它将创建带有基本身份验证的Spring Security上下文。如果我在应用程序URL中附加/saml,那么它将填充IDP登录页面并重定向到索引。成功登录后返回html。
但我被重定向到登录。再次使用html页面而不是索引。html。在eclipse调试并在各处放置一些日志之后,我发现没有可用的身份验证对象。
我已经阅读了这个jira链接并将Spring Security版本更新到3.1.4。发布,但它并没有解决我的问题。
经过一番努力,我发现saml安全上下文被filterChainProxy doFilter方法清除,并且设置身份验证为空,然后重定向到需要身份验证但不存在的安全目标url。因此它重定向到登录页面。
我在谷歌上搜索了很多,但没有找到任何使用saml身份验证通过j_spring_安全检查的方法。
我已经附上了我的saml安全。xml和Spring Security性。下面是xml文件
saml安全
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- Enable auto-wiring -->
<context:annotation-config/>
<!-- Scan for auto-wiring classes in spring saml packages -->
<context:component-scan base-package="org.springframework.security.saml"/>
<!-- Unsecured pages -->
<security:http security="none" pattern="/favicon.ico"/>
<security:http security="none" pattern="/images/**"/>
<security:http security="none" pattern="/css/**"/>
<security:http security="none" pattern="/logout.jsp"/>
<!-- Filters for processing of SAML messages -->
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
<security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
<security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
<security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
<security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
<security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
<security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
</security:filter-chain-map>
</bean>
<!-- Handler deciding where to redirect user after successful login -->
<bean id="successRedirectHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/index.html"/>
<property name="alwaysUseDefaultTargetUrl" value="true"/>
</bean>
<!--
Use the following for interpreting RelayState coming from unsolicited response as redirect URL:
<bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler">
<property name="defaultTargetUrl" value="/" />
</bean>
-->
<!-- Handler for successful logout -->
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/login.html"/>
</bean>
<!-- Register authentication manager with SAML provider -->
<security:authentication-manager id="samlAuthenticationManager">
<security:authentication-provider ref="samlAuthenticationProvider"/>
</security:authentication-manager>
<!-- Logger for SAML messages and events -->
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/>
<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="file:///${user.home}/conf/samlKeyStore.jks"/>
<constructor-arg type="java.lang.String" value="nalle123"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle123"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
<!-- Entry point to initialize authentication, default values taken from properties file -->
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
</bean>
</property>
</bean>
<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<!-- <property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp"/> -->
</bean>
<!-- Filter automatically generates default SP metadata -->
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="devenv.abc.com"/>
<property name="signMetadata" value="false"/>
</bean>
</constructor-arg>
</bean>
<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<constructor-arg>
<value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
</constructor-arg>
<constructor-arg>
<value type="int">500000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</list>
</constructor-arg>
</bean>
<!-- SAML Authentication Provider responsible for validating of received SAML messages -->
<bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
<property name="userDetails" ref="samlUserDetailsService" />
</bean>
<!-- Custom user details service to attach app specific roles to federated identities -->
<bean id="samlUserDetailsService" class="com.mercatus.security.MercatusSAMLUserDetailsService"/>
<!-- Provider of default SAML Context -->
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
<!-- Processing filter for WebSSO profile messages -->
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="samlAuthenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
</bean>
<!-- Processing filter for WebSSO Holder-of-Key profile -->
<bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
<property name="authenticationManager" ref="samlAuthenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="true"/>
</bean>
<!-- Override default logout processing filter with the one processing SAML messages -->
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg ref="successLogoutHandler"/>
<constructor-arg ref="logoutHandler"/>
<constructor-arg ref="logoutHandler"/>
</bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
</bean>
<!-- Class loading incoming SAML messages from httpRequest stream -->
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg>
<list>
<ref bean="redirectBinding"/>
<ref bean="postBinding"/>
<ref bean="artifactBinding"/>
<ref bean="soapBinding"/>
<ref bean="paosBinding"/>
</list>
</constructor-arg>
</bean>
<!-- SAML 2.0 WebSSO Assertion Consumer -->
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 Web SSO profile -->
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 ECP profile -->
<bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>
<!-- SAML 2.0 Logout Profile -->
<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
</bean>
<bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
<constructor-arg>
<bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
<constructor-arg>
<bean class="org.apache.commons.httpclient.HttpClient">
<constructor-arg>
<bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
</constructor-arg>
</bean>
</constructor-arg>
<property name="processor">
<bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg ref="soapBinding"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<!-- Initialization of OpenSAML library-->
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- Initialization of the velocity engine -->
<bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>
<!-- XML parser pool needed for OpenSAML parsing -->
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize">
<property name="builderFeatures">
<map>
<entry key="http://apache.org/xml/features/dom/defer-node-expansion" value="false"/>
</map>
</property>
</bean>
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
</beans>
还有我的Spring保安。xml文件如下所示
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<aop:aspectj-autoproxy/>
<!-- Definition for logging aspect -->
<bean id="assumptionAuditLogAspect" class="com.mercatus.audit.AssumptionAuditLogAspect"/>
<!-- Definition for project security aspect -->
<bean id="projectSecurityAspect" class="com.mercatus.web.security.ProjectSecurityAspect"/>
<!--Definition for SavedRequestAwareAuthenticationSuccessHandler -->
<bean id="mercatusSavedRequestHandler" class="com.mercatus.security.MercatusSavedRequestHandler"/>
<bean id="mercatusLogoutSuccessHandler" class="com.mercatus.security.MercatusLogoutSuccessHandler"/>
<bean id="mercatusAjaxTimeoutFilter" class="com.mercatus.security.MercatusAjaxTimeoutFilter"/>
<security:http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<security:anonymous enabled="false" />
<security:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<security:custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
</security:http>
<!-- SAML starts -->
<security:http pattern="/saml/**" entry-point-ref="samlEntryPoint">
<security:intercept-url pattern="/oauth/**" access="ROLE_USER" />
<security:intercept-url pattern="/rest/**" access="ROLE_USER" />
<security:intercept-url pattern="/saml" access="IS_AUTHENTICATED_FULLY"/>
<security:anonymous enabled="false" />
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
<!-- SAML ends -->
<security:http pattern="/rest/**" access-decision-manager-ref="accessDecisionManager">
<security:anonymous enabled="false" />
<security:form-login login-page="/login.html" authentication-success-handler-ref="mercatusSavedRequestHandler"
authentication-failure-url="/login.jsp?login_error=true"/>
<security:intercept-url pattern="/rest/**" access="ROLE_USER" />
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="mercatusAjaxTimeoutFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler"/>
</security:http>
<security:http access-denied-page="/login.jsp?login_error=true">
**<security:intercept-url pattern="/index.html" access="ROLE_USER" />**
<security:intercept-url pattern="/saml/**" access="ROLE_USER" />
<security:intercept-url pattern="/oauth/**" access="ROLE_USER" />
<security:intercept-url pattern="/customer/*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:form-login login-page="/login.html" authentication-success-handler-ref="mercatusSavedRequestHandler"
authentication-failure-url="/login.jsp?login_error=true"/>
<security:logout delete-cookies="true" invalidate-session="true" logout-success-url="/login.html"/>
<security:anonymous />
</security:http>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientDetailsUserService" />
</security:authentication-manager>
<oauth2:authorization-server
client-details-service-ref="clientDetails" token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler">
<oauth2:authorization-code />
<oauth2:implicit />
<oauth2:refresh-token />
<oauth2:client-credentials />
<oauth2:password />
</oauth2:authorization-server>
<oauth2:resource-server id="resourceServerFilter"
resource-id="mercatus" token-services-ref="tokenServices" />
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<security:global-method-security pre-post-annotations="enabled"/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="mercatusAuthenticationProvider" />
</security:authentication-manager>
<bean id="mercatusAuthenticationProvider" class="com.mercatus.security.MercatusAuthenticationProvider" />
</beans>
谁能帮我解决这个问题。提前感谢。
经过将近一周的努力,我终于解决了这个问题。
在通过eclipse进行调试时,我在SAMLAuthenticationProvider中找到了根本原因,有一个方法GetRights
导致了问题。
protected Collection<? extends GrantedAuthority> getEntitlements(SAMLCredential credential, Object userDetail) {
if (userDetail instanceof UserDetails) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.addAll(((UserDetails) userDetail).getAuthorities());
return authorities;
} else {
return Collections.emptyList();
}
}
这里检查userDetail对象是否是UserDetails类的实例,然后返回所有权限列表,否则将返回空的权限列表。
基于表单的身份验证可以返回User详情
对象,但如果用户通过IDP登录发起SSO,则将返回UsernamePasswordAuthenticationToken
类型的对象。因此,它使用userDetail对象获取grantedAuthourity的空列表。
因此,我在应用程序中扩展了SAMLAuthenticationProvider
,并覆盖了下面的方法
@Override
public Collection<? extends GrantedAuthority> getEntitlements(SAMLCredential credential, Object userDetail)
{
logger.info("****** object is instance of UserDetails :"+ (userDetail instanceof UserDetails));
if (userDetail instanceof UserDetails)
{
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.addAll(((UserDetails) userDetail).getAuthorities());
return authorities;
}
else if(userDetail instanceof UsernamePasswordAuthenticationToken)
{
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.addAll(((UsernamePasswordAuthenticationToken) userDetail).getAuthorities());
return authorities;
} else {
return Collections.emptyList();
}
}
然后我用我的自定义SAMLUserDetailsService类引用将我的自定义身份验证提供者引用saml-security.xml文件中。
<bean id="samlAuthenticationProvider" class="com.mercatus.security.MercatusSAMLAuthenticationProvider">
<property name="userDetails" ref="samlUserDetailsService" />
</bean>
<bean id="samlUserDetailsService" class="com.mercatus.security.MercatusSAMLUserDetailsService"/>
上面的配置救了我。我可以在登录后访问受保护的资源。
我花了整整一周的时间在FilterChainProxy内部调试,许多其他过滤器,因为拦截器URL它被重定向到FilterChainProxy。
我发布详细信息是因为它可能对其他面临类似问题的人有所帮助。
我正在尝试用我的应用程序测试和调试SAML身份验证。我目前没有自己的SAML IDP,因此我正在尝试使用免费/开放的SAML IDP提供商进行测试。 目前我正在用SSOCircle测试:https://www.ssocircle.com/ 在与该提供商登录后进行测试时,我会得到: 发生错误 原因:无法进行单点登录或联合。 请启用“我的调试”中的附加调试选项。只有付费帐户才能提供详细的跟踪信息。检查
在从主机推送docker映像(成功登录后)时,我得到了“未经授权:需要身份验证”。 详情如下。 Docker版本:1.9.1(客户端和服务器) /var/log/messages显示403,我不知道这个docker。见下文。 非常感谢您的帮助,如果您需要更多信息,请告诉我。我也用-f推了推。不走运!
该应用程序应该接受用户电子邮件和密码,并使用Firebase身份验证作为后端。我使用像素2作为模拟器。每次应用程序处理登录功能时,它都会崩溃。 下面是Java文件和gradle文件 Java文件:
本文向大家介绍php面向对象的用户登录身份验证,包括了php面向对象的用户登录身份验证的使用技巧和注意事项,需要的朋友参考一下 本文实例为大家分享了php用户登录身份验证的具体代码,供大家参考,具体内容如下 一、代码 conn.php index.php 二、运行结果 以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持呐喊教程。
现在,使用这些标记,我在api文件中创建了一个函数,但它将<code>0 函数代码: 那么,如何使用WordPress hook<code>wp_get_current_user()获取登录用户数据呢? 其次,我如何使< code > jwt-auth/v1/token API动态获取用户名和密码? P. S我在htacceess文件中添加了ReWriteCond和ReWriteRur,并且在我的
我正在尝试为自己构建一个仪表板,为我使用的一些应用程序提供基于SAML的身份验证。 从我作为测试平台构建的: 我正在使用一个登录名作为我要使用的应用程序的身份提供者。 举个例子:对于Netflix,我被重新路由到Netflix页面,我的用户ID和密码被预先填入其中,就像密码管理器的工作方式一样。(它使用OneLogin的扩展名) Netflix是否允许基于SAML的单点登录身份验证?我无法从谷歌搜