使用 Spring Security 在一个应用程序中结合数据库和 SAML 身份验证 [英] Combine database and SAML authentication in one application using spring security
问题描述
我正在尝试使用 spring security(spring-security-starter) 在 spring boot(2.2.4) 应用程序中实现身份验证和授权.
I am trying to implement authentication and authorization in the spring boot(2.2.4) app using spring security(spring-security-starter).
用例:根据用户名,我想将用户重定向到特定的身份验证提供商
Use Case: Based on the username I want to redirect the user for the specific authentication provider
- 如果用户名以 'mit.com' 结尾,则使用数据库验证用户(我使用的是休眠)-为此,我可以使用 spring 的 UserDetailService
如果用户名以 'einfochips.com' 结尾,则使用 SAML 2.0 验证用户协议 - 使用 Okta、SSOCircle、OneLogin 等身份提供商.
- If username ends with 'mit.com' Authenticate User using database (I am using hibernate)- For this, I can use spring's UserDetailService
If username ends with 'einfochips.com' Authenticate User using SAML 2.0 protocol- Using identity provider like Okta, SSOCircle, OneLogin etc.
我不知道该怎么做.我尝试使用自定义过滤器,但无法做到.
I am not able to get how I can do it. I tried using custom filter but couldn't do it.
我已经阅读了很多文章,但无法实现这一点.
I have gone through many articles but couldn't achieve this.
我编写了以下代码以仅使用 SAML 进行身份验证.它工作正常.将用户带到 okta idp 进行登录.
I wrote below code for authentication using only SAML. It is working fine. Taking the user to okta idp for login.
package com.example.demo;
import static org.springframework.security.extensions.saml2.config.SAMLConfigurer.saml;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
SAMLUserDetailsService userDetailsService;
@Value("${security.saml2.metadata-url}")
String metadataUrl;
@Value("${server.ssl.key-alias}")
String keyAlias;
@Value("${server.ssl.key-store-password}")
String password;
@Value("${server.port}")
String port;
@Value("${server.ssl.key-store}")
String keyStoreFilePath;
//Uisng SAML2.0
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/").permitAll()
.anyRequest().authenticated()
.and()
.apply(saml())
.serviceProvider()
.keyStore()
.storeFilePath(this.keyStoreFilePath)
.password(this.password)
.keyname(this.keyAlias)
.keyPassword(this.password)
.and()
.protocol("https")
.hostname(String.format("%s:%s", "localhost", this.port))
.basePath("/")
.and().userDetailsService(userDetailsService)
.identityProvider()
.metadataFilePath(this.metadataUrl);
}
}
任何人都可以指导我,以便我可以使用任何 IDP(如 okta、ssocircle、OneLogin 等)进行配置.
anybody can guide me so that I can configure in such a way that I can use any IDP like okta, ssocircle, OneLogin etc.
推荐答案
利用 Spring Security 的 AuthenticationProvider 以实现多个自定义身份验证提供程序并按适当的顺序注册它们(按顺序进行评估).
Utilize Spring Security's AuthenticationProvider to implement multiple custom authentication providers and register them in the appropriate order (they're evaluated in order).
自定义数据库身份验证提供程序
A custom database auth provider
public class MitComAuthProvider implements AuthenticationProvider {
public Authentication authenticate(Authentication auth) {
// if user matches 'mit.com', auth with database
// look up and auth
// else return null (to try next auth provider)
}
}
自定义SAML 身份验证提供程序(与 Spring Security 一起提供并实现 AuthenticationProvider
).
A custom SAML Authentication Provider (provided with Spring Security & implements AuthenticationProvider
).
public class EInfoChipsAuthProvider extends SAMLAuthenticationProvider {
public Authentication authenticate(Authentication auth) {
// if user matches 'einfochips.com', auth with SAML
// super.authentication(auth)
// else return null (to try next auth provider) or throw auth exception
}
}
然后,在您的 WebSecurityConfigurerAdapter
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private MitComAuthProvider mitComAuthProvider;
@Autowired
private EInfoChipsAuthProvider eInfoChipsAuthProvider;
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(mitComAuthProvider);
auth.authenticationProvider(eInfoChipsAuthProvider);
}
...
}
这篇关于使用 Spring Security 在一个应用程序中结合数据库和 SAML 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!