我们刚刚使用Spring Boot和Spring Security来开发一个新项目。问题是,我们公司使用CXF和自定义实施的SAML身份验证机制。当然,自定义实现相当陈旧,因此我们锁定了CXF 2.7。*。
前段时间,一切正常,因为我们只暴露了SOAP Web服务,并且没有使用Spring Security。我们在旧解决方案中使用的身份验证器使用某种JBossWebRealm来通过org.apache.catlina.connector.Request进行身份验证。
但是现在,我们将使用LDAP作为身份验证提供程序来公开REST服务。这就像使用Spring Security的梦想一样,但现在,SOAP服务的安全性失败了。它现在尝试使用Spring Security来验证使用SAML令牌作为AD的密码。
目前我们有Spring Boot创建的默认Servlet。这个公开了REST资源和一个简单的健康检查网页。 然后我们有一个公开SOAP Web服务的servlet和一个公开指标(REST)的servlet。
Servlet设置:
@Configuration
@EnableAutoConfiguration
@Import(ApplicationConfig.class)
public class ApplicationServletInitializer extends SpringBootServletInitializer {
@Bean
public WebMvcConfigurerAdapter dispatcherServletConfigurer(final MDCInterceptor mdcInterceptor) {
return new WebMvcConfigurerAdapter() {
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/internal/*");
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(mdcInterceptor);
}
};
}
@Bean(name = "webServiceServlet")
public ServletRegistrationBean webServiceServlet() {
ServletRegistrationBean servletRegistrationBean = new ServletRegistrationBean();
servletRegistrationBean.setServlet(new CXFServlet());
servletRegistrationBean.setName("webServiceServlet");
servletRegistrationBean.addUrlMappings("/ws/*");
servletRegistrationBean.setLoadOnStartup(2);
return servletRegistrationBean;
}
@Bean(name = "metricsServlet")
public ServletRegistrationBean metricsServlet() {
ServletRegistrationBean servletRegistrationBean = new ServletRegistrationBean();
servletRegistrationBean.setServlet(new MetricsServlet());
servletRegistrationBean.setName("metricsServlet");
servletRegistrationBean.addUrlMappings("/internal/metrics/*");
servletRegistrationBean.setLoadOnStartup(3);
return servletRegistrationBean;
}
}
安全设置:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@ComponentScan(basePackageClasses = {
MDCInterceptor.class,
WebSecurityConfigurerAdapterConfig.class
})
public class RestSecurityConfig {
@Value("${ldap.url}")
private String ldapUrl;
@Value("${ldap.domain}")
private String ldapDomain;
@Bean
public ActiveDirectoryLdapAuthenticationProvider authenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(ldapDomain, ldapUrl);
provider.setAuthoritiesMapper(authoritiesMapper());
provider.setUserDetailsContextMapper(userDetailsMapper());
provider.setUseAuthenticationRequestCredentials(true);
provider.setConvertSubErrorCodesToExceptions(true);
return provider;
}
@Bean
public MyAuthoritiesMapper authoritiesMapper() {
return new MyAuthoritiesMapper();
}
@Bean
public MyUserDetailsMapper userDetailsMapper() {
return new MyUserDetailsMapper();
}
}
@Component
public class WebSecurityConfigurerAdapterConfig extends WebSecurityConfigurerAdapter {
@Autowired
private ActiveDirectoryLdapAuthenticationProvider authenticationProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/api/**").permitAll()
.antMatchers("/api/**").hasRole("READ")
.and().httpBasic()
.and().anonymous()
.principal(anonymousPrincipal())
.authorities(anonymousRoles());
}
}
web.xml设置:
<security-constraint>
<web-resource-collection>
<web-resource-name>All pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
有谁知道是否有可能解决这个问题?不能删除对SOAP Web服务进行SAML身份验证的旧安全框架的使用。
答案 0 :(得分:0)
想出来。 配置Spring Security时,在WebSecurityConfigurerAdapter中,您还可以覆盖:
protected void configure(WebSecurity web).
在这一个中,您可以指定要忽略的内容。 E.g:
web.ignoring().antMatchers("/ws/**");