Okta-api-使用带有CSRF的Spring-security SAML的问题 [英] Okta-api -Issue using Spring-security SAML with CSRF

问题描述

我已按照文档中列出的步骤进行操作-

I have gone thru the steps listed in the document -

一切正常，我看到生成了SAML响应，并且从OKTA到应用程序进行重新请求，但是当请求到达应用程序时，我收到此错误-

Everything works fine and I see SAML response getting generated and reditection happening to Application from OKTA but when the request reaches the application, I get this error-

type = Forbidden，状态= 403).上发现无效的CSRF令牌空" 请求参数"_csrf"或标头"X-CSRF-TOKEN".

type=Forbidden, status=403). Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.

我尝试禁用csrf，但是随后它会因SAML重定向而陷入无限循环.

I have tried disabling csrf but then it goes in infinite loop with SAML redirection.

这是SecurityConfiguration.java-

Here's SecurityConfiguration.java-

package com.example;

import static org.springframework.security.extensions.saml2.config.SAMLConfigurer.saml;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Value("${security.saml2.metadata-url}")
    String metadataUrl;

    @Value("${server.ssl.key-alias}")
    String keyAlias;

    @Value("${server.ssl.key-store-password}")
    String password;

    @Value("${server.port}")
    String port;

    @Value("${server.ssl.key-store}")
    String keyStoreFilePath;

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/saml*").permitAll()
                .anyRequest().authenticated()
                .and()
            .apply(saml())
                .serviceProvider()
                    .keyStore()
                        .storeFilePath("saml/keystore.jks")
                        .password(this.password)
                        .keyname(this.keyAlias)
                        .keyPassword(this.password)
                        .and()
                    .protocol("https")
                    .hostname(String.format("%s:%s", "10.200.10.10", this.port))
                    .basePath("/")
                    .and()
                .identityProvider()
                .metadataFilePath(this.metadataUrl);
    }
}

任何建议都值得赞赏.

推荐答案

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/**").authorizeRequests().antMatchers("/saml").permitAll()
                .anyRequest().authenticated().and().csrf().csrfTokenRepository(getCsrfTokenRepository());
    }

    private CsrfTokenRepository getCsrfTokenRepository() {
        CookieCsrfTokenRepository tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
        tokenRepository.setCookiePath("/");
        return tokenRepository;
    }

添加CSRF cookie.在前端，如果您使用的是Angular，则只需导入HttpClientXsrfModule.这将获取Cookie值并设置请求标头X-XSRF-TOKEN标头

Add CSRF cookie. In the front end, if you are using Angular just import HttpClientXsrfModule. This would fetch the cookie value and set request header X-XSRF-TOKEN header

@注意:saml登录的配置仍然相同.上面的代码显示了如何添加csrf令牌.

@Note : The configuration for saml login with still be the same. The above code shows, how to add csrf token.

这篇关于Okta-api-使用带有CSRF的Spring-security SAML的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！