如何在Spring Security预身份验证中为Siteminder验证SM_USER标头 [英] How to validate SM_USER header in Spring Security preauthentication for siteminder
问题描述
我正在尝试使用用于Siteminder的预身份验证安全性来创建安全的Spring Rest API.
I 'm trying to create a secure spring rest api using pre-authentication security for siteminder.
我已经尝试了一种解决方案,在其中我得到了SM_USER,并且当我在邮递员中通过添加具有随机值的新标头SM_USER对其进行测试时,它似乎可以正常工作.
I 've tried a solution where I 'm getting SM_USER and when I tested it in postman by adding new header SM_USER with random value it seems to work fine.
如果您不提供标头,则会收到错误org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException:在请求中找不到有效的SM_USER标头.
If you don't provide header I'm getting an error org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException: SM_USER header not found in request which is valid.
但是我如何确定这是安全的呢?如果有人知道我的rest api的URL可以毫无问题地调用它.我应该在春季检查其他内容,还是只有siteminder提供用户身份验证?
But how can I be sure that this is secure? if someone knows the URL of my rest api could call this without problem. Should I check something else in spring or only siteminder offers user authentication?
推荐答案
前端SiteMinder Web代理保证会话有效-您必须通过服务器/网络配置确保您的应用程序必须先通过SiteMinder Web代理才能直接访问.
The front-end SiteMinder web agent is the guaranty that the session is valid - you must make sure via server/network configuration that your application cannot be accessed directly without first passing through the SiteMinder web agent.
此外,SiteMinder声明多个标头. SM_USER不应单独使用,因为在某些情况下,当用户实际上没有有效的会话时,Web代理可以声明SM_USER.相反,您应该首先查找SM_SERVERSESSIONID的存在(非空白),仅当会话有效时才存在.
Also, SiteMinder asserts multiple headers. SM_USER should not be used alone because it can be asserted by the web agent in some circumstances when the user does not actually have a valid session. Instead, you should first look for the existence (non-blank) of SM_SERVERSESSIONID, which only exists if the session is valid.
最后,我通常会尝试完全避免使用SM_USER-因为SM_USER实际上根本不是用户属性,而是用于身份验证的登录标识符".如果SiteMinder通过联合身份验证(例如SAML)或x509身份验证对用户进行身份验证,则SM_USER与使用登录表单时将大不相同.相反,最好在SiteMinder中设置作为用户属性的通用ID",并在标题中将其显示为SM_UNIVERSALID.您的SiteMinder管理员将知道如何执行此操作(并且可能已经知道-查看您是否已有SM_UNIVERSALID标头可用).
Lastly, I generally try to avoid SM_USER at all - because SM_USER is actually not a user attribute at all, but rather is "the login identifier used for authentication". If SiteMinder authenticates users via federation (e.g. SAML) or x509 authentication, SM_USER will be rather different than if a login form was used. Instead, its better in SiteMinder to set a "universal id" that is a user attribute, and appears in the headers as SM_UNIVERSALID. Your SiteMinder administrators will know how to do this (and may already have - look to see if you have a SM_UNIVERSALID header available already).
另请注意,在某些SiteMinder配置中,下划线将不在标题名称中(在SiteMinder中使用下划线称为旧式"标题模式),因此您可能希望使应用程序相对于标头名称,例如SMSERVERSESSIONID,SMUSER,SMUNIVERSALID等
One other caution, in some SiteMinder configurations, the underscore will not be in the header name (use of the underscore is called "legacy" header mode in SiteMinder), so you might want to make your app configurable with respect to the header names, e.g. SMSERVERSESSIONID, SMUSER, SMUNIVERSALID etc.
如果要以编程方式重新验证会话,则可以使用SiteMinder代理API或REST API,或者查看我公司的产品"SSO/Rest",该产品为SiteMinder和其他产品提供了一套全面的统一REST接口SSO提供程序( http://www.idfconnect.com ).
If you want to programmatically re-validate a session, you can use the SiteMinder Agent API or REST API, or look at my company's product "SSO/Rest" which provides a comprehensive set of uniform REST interfaces to SiteMinder and also other SSO providers (http://www.idfconnect.com).
HTH!
-理查德
这篇关于如何在Spring Security预身份验证中为Siteminder验证SM_USER标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
