我正在使用Spring Security SAML 1.0.1。我的应用程序使用此XML来配置SAMLAuthenticationProvider bean:
<!-- SAML Authentication Provider responsible for validating of received SAML messages -->
<b:bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
<!-- OPTIONAL property: can be used to store/load user data after login -->
<b:property name="userDetails">
<b:bean class="eu.ueb.acem.services.auth.SamlAuthenticationUserDetailsService"/>
</b:property>
<b:property name="forcePrincipalAsString" value="false"/>
</b:bean>
“SamlAuthenticationUserDetailsService”类实现了loadUserBySAML(SAMLCredential)方法。如果数据库中不存在该用户,则会创建该用户。
@Override
public Object loadUserBySAML(SAMLCredential credential) throws UsernameNotFoundException {
logger.info("entering loadUserBySAML({})", credential);
String userID = credential.getNameID().getValue();
logger.info("{} is logged in", userID);
Map<String, String> mapOfAttributesFriendlyNamesAndValues = new HashMap<String, String>();
mapOfAttributesFriendlyNamesAndValues.put("eduPersonAffiliation", null);
mapOfAttributesFriendlyNamesAndValues.put("eduPersonPrincipalName", null);
mapOfAttributesFriendlyNamesAndValues.put("eduPersonPrimaryAffiliation", null);
mapOfAttributesFriendlyNamesAndValues.put("supannEtablissement", null);
mapOfAttributesFriendlyNamesAndValues.put("supannEntiteAffectationPrincipale", null);
mapOfAttributesFriendlyNamesAndValues.put("supannOrganisme", null);
mapOfAttributesFriendlyNamesAndValues.put("displayName", null);
mapOfAttributesFriendlyNamesAndValues.put("mail", null);
mapOfAttributesFriendlyNamesAndValues.put("givenName", null);
mapOfAttributesFriendlyNamesAndValues.put("sn", null);
mapOfAttributesFriendlyNamesAndValues.put("uid", null);
for (Attribute attribute : credential.getAttributes()) {
logger.info("attribute friendly name={}", attribute.getFriendlyName());
if (mapOfAttributesFriendlyNamesAndValues.containsKey(attribute.getFriendlyName())) {
// We set the values of the property
for (XMLObject attributeValueXMLObject : credential.getAttribute(attribute.getName()).getAttributeValues()) {
logger.info("We care about this attribute, getAttributeValue={}", getAttributeValue(attributeValueXMLObject));
mapOfAttributesFriendlyNamesAndValues.put(attribute.getFriendlyName(), getAttributeValue(attributeValueXMLObject));
}
}
else {
logger.info("We don't care about this attribute");
}
}
Person user = usersService.getUser(mapOfAttributesFriendlyNamesAndValues.get("eduPersonPrincipalName"));
user.setLogin(mapOfAttributesFriendlyNamesAndValues.get("eduPersonPrincipalName"));
user.setEmail(mapOfAttributesFriendlyNamesAndValues.get("mail"));
user.setName(mapOfAttributesFriendlyNamesAndValues.get("displayName"));
user.setAdministrator(true);
user = usersService.updatePerson(user);
logger.info("leaving loadUserBySAML");
return loadUserByUser(user);
}
private UserDetails loadUserByUser(Person targetUser) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
// Roles
if (targetUser.isAdministrator()) {
authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
}
else {
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
}
return new User(targetUser.getLogin(), targetUser.getPassword(),
true, // enabled
true, // account not expired
true, // credentials not expired
true, // account not locked
authorities);
}
我有以下行为:
loadUserBySAML方法称为credential.getNameID().getValue()(例如“_246558c0d7c514447292d750df577b6b”)。问题:如何将凭据的“NameID”属性设置为电子邮件地址?
我已多次阅读the documentation的“9.4身份验证对象”部分,但我仍然不明白如何告诉Spring Security我的UserDetails对象应该使用电子邮件地址引用而不是使用NameID值。
答案 0 :(得分:2)
我认为问题可能是SAMLAuthenticationProvider默认情况下始终使用NameID,即使从UserDetails返回SAMLUserDetailsService也是如此。它是为了向后兼容以前的版本而完成的,尽管我正在考虑更改它以避免混淆。
为了将UserDetails设置属性forcePrincipalAsString返回的值用于bean SAMLAuthenticationProvider上的false。