处理SAML重定向的Ajax请求 [英] Handling SAML Redirects on AJAX Requests
问题描述
我有几个AngularJS的应用程式使用Spring / Java和SAML 2.0 SSO(利用Spring Security的SAML扩展名)。我的SSO ID提供商OpenAM和一切工作pretty好。然而,我遇到的情况,当用户从一个应用程序中做了全局注销,但有其他选项卡中打开。由于这些是单个页面的Web应用程序,直到用户做一些事情来调用Ajax请求了很多功能可能仍然是孤立的标签使用。当然,这些AJAX请求得到由Spring Security的SAML过滤器拦截,并触发通过重定向到OpenAM登录网址认证尝试。当然,这打乱了浏览器重定向以来到另一个域不允许在AJAX请求。此外,我真的不能做角的东西$ HTTP拦截的请求被取消,没有质量信息在$ HTTP错误回调函数可用(如便利四百零三分之四百零一状态code)。我所知道的是,请求失败。
I have several AngularJS apps all using Spring/Java and SAML 2.0 for SSO (leveraging the Spring Security SAML extension). My SSO id provider is OpenAM and everything is working pretty well. However, I am running into a situation when a user does a global logout from within one application but has other tabs open. Since these are single page web apps, a lot of functionality may still be usable in the orphaned tabs UNTIL, the user does something to invoke an ajax request. Of course, these AJAX requests get intercepted by the Spring Security SAML filters and triggers an authentication attempt via a REDIRECT to the OpenAM login URL. Of course, this wreaks havoc in the browser since redirects to another domain aren't allowed on AJAX requests. Furthermore, I can't really do anything with Angular's $http interceptors as the requests are 'canceled' and no quality information is available in the $http error callback function (such as a convenient 401/403 status code). All I know is that the request failed.
我不想假设所有不好的$ HTTP请求是由于身份验证问题(并做了$ window.location.reload()),因为有可能是失败的正当理由。我的preference是燮preSS Spring Security的重定向(以OpenAM登录页)的Ajax请求,相反,发回四百零三分之四百零一状态code。这将让我来处理在$ HTTP拦截的错误,做一个完整的页面加载,如果它是一种身份验证失败,从而优雅地重定向到登录页面,如果他们要到现场为第一次。
I don't want to assume that all bad $http requests are due to authentication problems (and do a $window.location.reload()) as there could be legitimate reasons for failure. My preference is to suppress the Spring Security redirect (to OpenAM login page) for ajax requests and, instead, send back a 401/403 status code. This would allow me to handle the error in the $http interceptor and do a full page load if it is an authentication failure, thus elegantly redirecting to the login page as if they were going to the site for the first time.
有关如何做到这一点任何想法?
Any ideas for how to accomplish this?
推荐答案
这个bean负责认证和决定返回一个HTTP错误,执行重定向的初始化,...是的AuthenticationEntryPoint的一个实例。要改变它的行为,您可以:
The bean responsible for initialization of authentication and decision to return an HTTP error, perform a redirect, ... is an instance of AuthenticationEntryPoint. To change its behavior you can either:
- 自定义当前
SAMLEntryPoint(延长开始法),并覆盖的情况下,请求的默认行为是一个AJAX从角调用,所以它返回,而不是执行重定向到IDP HTTP错误 - 或定义另一个
安全性:HTTP元素在Spring上下文(当前的前),它仅覆盖您的AJAX请求(例如,使用属性模式=/ API / **),并使用一个切入点其行为在你想要的方式(请参阅Http403ForbiddenEntryPoint)
- customize the current
SAMLEntryPoint(extend thecommencemethod) and override the default behavior in case request is an AJAX call from Angular, so it returns an HTTP error instead of performing redirect to IDP - or define another
security:httpelement in your Spring context (before the current one) which only covers your AJAX requests (e.g. with attributepattern="/api/**") and uses an entry point which behaves in the way you want (seeHttp403ForbiddenEntryPoint)
这篇关于处理SAML重定向的Ajax请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
