Spring Security：取决于实体的不同身份验证方法 [英] Spring Security: Different authentication methods depending on entity

问题描述

首先发布这里，希望我做得对。

first post here, hope im doing right.

在一个项目中，我们有一个场景，我们有一个包含多个实体的Web应用程序。目前，登录是通过默认的JDBC Spring Security提供程序管理的，工作正常。

In a project, we have a scenario where we have a single web application with multiple entities. Currently, the login is managed via default JDBC Spring Security provider, working fine.

对于新的需求，我们需要每个实体都有自己的登录方法（目前为2方法是可用的，JDBC一个是当前的，第二个方法是通过SAML进行身份验证，每个实体定义自己的IdP，但这是另一个故事）

For a new requirement, we need that each entity can have their own login method (currently 2 methods would be available, the JDBC one, which is the current one, and the second method would be authentication via SAML, with each entity defining their own IdP, but this is another story)

我需要一些关于如何实现这一目标的指导，我已经做了一些搜索，我找到了不同URL的提供商等等......但是对于同一个应用程序和网址没有不同的登录方法，具体取决于用户类型或实体。

I need some guidelines on how this can be achieved, I have done some search and I have found providers for different URL's, etc... But not different login methods for the same app and url's depending on the user type or entity.

有一个自定义单一入口点的好方法，我们可以检查实体用户，然后使用合适的身份验证提供程序吗？

Is a good approach to have a custom single entry point where we can check the entity user and then use the suitable authentication provider?

亲切的问候，

Alex

推荐答案

由于您的每个用户可能使用不同的IDP，因此您无论如何都需要确定在继续初始化身份验证过程之前的用户名 - 但您已经知道这一点。

As each of your users might be using a different IDP you will in any case need to determine the username before proceeding with initialization of the authentication process - but you already know this.

采取的一种方法（类似于Microsoft与企业用户使用Office 365的方法） ）是：

One approach to take (similar to what Microsoft is using with the Office 365 for corporate users) is:

• 一旦用户输入，就会显示包含标准用户名+密码字段的登录页面


• 用户名和模糊输入字段，您进行AJAX调用（为此目的制作自定义API）并获取有关此用户使用的身份验证类型+ IDP的信息


• 以防类型是密码，您只需让用户继续填写密码字段并POST到您习惯使用JDBC提供程序处理的相同位置


• 如果类型是联合身份验证您通过重定向到/ saml / login？idp = xyz并继续使用SAML流来使用正确的IDP初始化身份验证

• display a login page with fields for standard username + password
• once user enters username and blurs the input field, you make an AJAX call (to your custom API made for this purpose) and fetch information about authentication type + IDP to use for this user
• in case the type is password you simply let user continue with filling in the password field and POST to the same place as you're used to for processing with the JDBC provider
• in case the type is federated authentication you initialize authentication with the correct IDP by redirecting to /saml/login?idp=xyz and continue with the SAML flow

可以避免一旦使用，提交表单的任何API r输入用户名，或让用户单击继续按钮。然后使用自定义EntryPoint是有意义的：

It's possible to avoid any APIs by submitting the form once user enters the username, or let user click a "Continue" button. It would then make sense to use a custom EntryPoint which:

• 将用户重定向到主登录页面，以防它没有提供用户名


• 显示带有用户名/密码的登录页面，或者在提供用户名后重定向到正确的IDP

这篇关于Spring Security：取决于实体的不同身份验证方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！