使用Spring Security SAML将请求参数添加到SAML请求

时间:2015-03-25 11:38:11

标签: spring-saml

我需要在SAML请求中添加一个请求参数(例如locale = en),以便让登录页面显示正确的语言。我该怎么做?

我尝试将该属性添加到作为begin方法(SamlEntryPoint)的参数发送的HttpServletRequest中,但这似乎不起作用。

有什么建议吗?

1 个答案:

答案 0 :(得分:4)

SAML提供了一种标准机制,用于扩展在身份验证请求中发送的内容 - Extensions元素。

为了使用它,您需要与您的IDP协调您发送的数据和格式。在Spring SAML中,您可以通过扩展类WebSSOProfileImpl来自定义其内容,例如:

package com.v7security.saml;

import org.opensaml.common.SAMLException;
import org.opensaml.saml2.common.Extensions;
import org.opensaml.saml2.common.impl.ExtensionsBuilder;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml2.metadata.SingleSignOnService;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.schema.XSAny;
import org.opensaml.xml.schema.impl.XSAnyBuilder;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.websso.WebSSOProfileImpl;
import org.springframework.security.saml.websso.WebSSOProfileOptions;

/**
 * Class adds additional extensions element to the AuthnRequest sent to IDP.
 */
public class WebSSOProfile extends WebSSOProfileImpl {

    @Override
    protected AuthnRequest getAuthnRequest(SAMLMessageContext context, WebSSOProfileOptions options, AssertionConsumerService assertionConsumer, SingleSignOnService bindingService) throws SAMLException, MetadataProviderException {
        AuthnRequest authnRequest = super.getAuthnRequest(context, options, assertionConsumer, bindingService);
        authnRequest.setExtensions(buildExtensions());
        return authnRequest;
    }

    protected Extensions buildExtensions() {

        XSAny languageClass = new XSAnyBuilder().buildObject("http://www.v7security.com/schema/2015/04/request", "RequestLanguage", "req");
        languageClass.setTextContent("urn:v7security:request:lang:english");

        Extensions extensions = new ExtensionsBuilder().buildObject();
        extensions.getUnknownXMLObjects().add(languageClass);
        return extensions;

    }

}

另一种选择是在relayState中发送数据,这是SP可以发送给IDP的一条信息,并期望它被退回(通常是SP状态)。该值应该对IDP不透明,但当然它可以按照您想要的方式处理它。有关设置继电器状态的详细信息,请参阅chapter on SP initialized SSO in the manual

HttpRequest对象上设置请求参数不会产生任何结果,Spring SAML不会以任何方式自动传达这些参数。

通过扩展类HTTPRedirectDeflateEncoder和重写方法buildRedirectURL,可以为通过HTTP重定向绑定发送的请求添加HTTP参数。然后可以通过以下方式将新类提供给HTTPRedirectDeflateBinding的构造函数并替换为redirectBinding的bean securityContext.xml

<bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
    <constructor-arg>
        <bean class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
            <constructor-arg name="pool" ref="parserPool"/>
        </bean>
    </constructor-arg>
    <constructor-arg>
        <bean class="com.custom.HTTPRedirectDeflateEncoder"/>
    </constructor-arg>
</bean>