定义HTTP路由仅用于"内部"使用Spring Security的请求

时间:2014-04-30 14:33:00

标签: java spring spring-mvc saml-2.0 spring-saml

我的问题似乎有些奇怪,但我想更好地了解Spring Security的工作原理。

我的情况如下......

通过使用 Spring Security Spring SAML ,我定义了一个入口点,一些模式和过滤器,以便正确管理 http 请求。 

<!-- Secured pages -->
<security:http entry-point-ref="samlEntryPoint"
    use-expressions="true">
    <security:intercept-url pattern="/" access="permitAll" />
    <security:intercept-url pattern="/saml/**" access="permitAll" />
    <security:intercept-url pattern="/metadata" access="permitAll" />
    <security:intercept-url pattern="/metadata/**" access="permitAll" />
    <security:intercept-url pattern="/info" access="isAuthenticated()" />
    <security:intercept-url pattern="/signup/sso" access="permitAll" />
    <security:custom-filter before="FIRST"
        ref="metadataGeneratorFilter" />
    <security:custom-filter after="BASIC_AUTH_FILTER"
        ref="samlFilter" />
</security:http>

<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map request-matcher="ant">
        <security:filter-chain pattern="/saml/login/**"
            filters="samlEntryPoint" />
        <security:filter-chain pattern="/saml/logout/**"
            filters="samlLogoutFilter" />
        <security:filter-chain pattern="/saml/metadata/**"
            filters="metadataDisplayFilter" />
        <security:filter-chain pattern="/saml/SSO/**"
            filters="samlWebSSOProcessingFilter" />
        <security:filter-chain pattern="/saml/SSOHoK/**"
            filters="samlWebSSOHoKProcessingFilter" />
        <security:filter-chain pattern="/saml/SingleLogout/**"
            filters="samlLogoutProcessingFilter" />
        <security:filter-chain pattern="/saml/discovery/**"
            filters="samlIDPDiscovery" />
    </security:filter-chain-map>
</bean>

然后,我还定义了 IdP发现服务

<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
    <property name="idpSelectionPath" value="/sso/idpSelection" />
</bean>

最后,我实施了一个网络控制器来向/sso/idpSelection提供http请求:

@Controller
@RequestMapping("/sso")
public class SSOController {
    // Logger
    private static final Logger LOG = LoggerFactory.getLogger(SSOController.class);

    @Autowired
    private ServletContext servletContext;

    @RequestMapping(value = "/idpSelection", method = RequestMethod.GET)
    public String idpSelection(HttpServletRequest request, Model model) {           
        WebApplicationContext context = WebApplicationContextUtils
                .getWebApplicationContext(request.getServletContext());
        MetadataManager metadataManager = context.getBean("metadata", MetadataManager.class);
        Set<String> idps = metadataManager.getIDPEntityNames();
        for (String idp : idps)
            LOG.info("Configured Identity Provider for SSO: " + idp);
        model.addAttribute("idp", idps);
        return "sso/idpselection";
    }
}

当匿名用户尝试访问受保护的页面时,过滤器会将其请求重定向到/saml/discovery,因此IdP发现服务会调用控制器/sso/idpSelection

很明显,路由/sso/idpSelection只能由IdP发现服务使用,作为内部资源。

有没有办法拒绝直接访问请求(例如通过浏览器),但同时允许内部进程的路由?

1 个答案:

答案 0 :(得分:2)

当将用户发送到/ sso / idpSelection时,SAMLDiscovery会转发。这意味着您可以以编程方式禁止用户直接使用以下方式访问页面:

@RequestMapping(value = "/idpSelection", method = RequestMethod.GET)
public String idpSelection(HttpServletRequest request, Model model) {  
   if (request.getAttribute("javax.servlet.forward.request_uri") == null) {
       // Deny access
   }
   ...
}

在调用requestDispatcher的forward方法时,容器会自动设置属性“javax.servlet.forward.request_uri”,因此不会出现在直接请求中。自Servlet 2.4以来,该功能可用。

相关问题
最新问题