Spring Security和自定义ws身份验证

时间:2016-05-10 06:57:37

标签: soap spring-security jboss spring-boot ldap

我们刚刚使用Spring Boot和Spring Security来开发一个新项目。问题是,我们公司使用CXF和自定义实施的SAML身份验证机制。当然,自定义实现相当陈旧,因此我们锁定了CXF 2.7。*。

前段时间,一切正常,因为我们只暴露了SOAP Web服务,并且没有使用Spring Security。我们在旧解决方案中使用的身份验证器使用某种JBossWebRealm来通过org.apache.catlina.connector.Request进行身份验证。

但是现在,我们将使用LDAP作为身份验证提供程序来公开REST服务。这就像使用Spring Security的梦想一样,但现在,SOAP服务的安全性失败了。它现在尝试使用Spring Security来验证使用SAML令牌作为AD的密码。

目前我们有Spring Boot创建的默认Servlet。这个公开了REST资源和一个简单的健康检查网页。 然后我们有一个公开SOAP Web服务的servlet和一个公开指标(REST)的servlet。

Servlet设置: 

@Configuration
@EnableAutoConfiguration
@Import(ApplicationConfig.class)
public class ApplicationServletInitializer extends SpringBootServletInitializer {

    @Bean
    public WebMvcConfigurerAdapter dispatcherServletConfigurer(final MDCInterceptor mdcInterceptor) {
        return new WebMvcConfigurerAdapter() {
            @Override
            public void addResourceHandlers(ResourceHandlerRegistry registry) {
                registry.addResourceHandler("/internal/*");
            }

            @Override
            public void addInterceptors(InterceptorRegistry registry) {
                registry.addInterceptor(mdcInterceptor);
            }
        };
    }

    @Bean(name = "webServiceServlet")
    public ServletRegistrationBean webServiceServlet() {
        ServletRegistrationBean servletRegistrationBean = new ServletRegistrationBean();
        servletRegistrationBean.setServlet(new CXFServlet());
        servletRegistrationBean.setName("webServiceServlet");
        servletRegistrationBean.addUrlMappings("/ws/*");
        servletRegistrationBean.setLoadOnStartup(2);
        return servletRegistrationBean;
    }

    @Bean(name = "metricsServlet")
    public ServletRegistrationBean metricsServlet() {
        ServletRegistrationBean servletRegistrationBean = new ServletRegistrationBean();
        servletRegistrationBean.setServlet(new MetricsServlet());
        servletRegistrationBean.setName("metricsServlet");
        servletRegistrationBean.addUrlMappings("/internal/metrics/*");
        servletRegistrationBean.setLoadOnStartup(3);
        return servletRegistrationBean;
    }
}

安全设置: 

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@ComponentScan(basePackageClasses = {
        MDCInterceptor.class,
        WebSecurityConfigurerAdapterConfig.class
})
public class RestSecurityConfig {

    @Value("${ldap.url}")
    private String ldapUrl;

    @Value("${ldap.domain}")
    private String ldapDomain;

    @Bean
    public ActiveDirectoryLdapAuthenticationProvider authenticationProvider() {
        ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(ldapDomain, ldapUrl);
        provider.setAuthoritiesMapper(authoritiesMapper());
        provider.setUserDetailsContextMapper(userDetailsMapper());
        provider.setUseAuthenticationRequestCredentials(true);
        provider.setConvertSubErrorCodesToExceptions(true);
        return provider;
    }

    @Bean
    public MyAuthoritiesMapper authoritiesMapper() {
        return new MyAuthoritiesMapper();
    }

    @Bean
    public MyUserDetailsMapper userDetailsMapper() {
        return new MyUserDetailsMapper();
    }

}


@Component
public class WebSecurityConfigurerAdapterConfig extends WebSecurityConfigurerAdapter {

   @Autowired
    private ActiveDirectoryLdapAuthenticationProvider authenticationProvider;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
            http.authorizeRequests()
                    .antMatchers(HttpMethod.OPTIONS, "/api/**").permitAll()
                    .antMatchers("/api/**").hasRole("READ")
                    .and().httpBasic()
                    .and().anonymous()
                    .principal(anonymousPrincipal())
                    .authorities(anonymousRoles());
    }
}

web.xml设置: 

<security-constraint>
    <web-resource-collection>
        <web-resource-name>All pages</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
</security-constraint>

有谁知道是否有可能解决这个问题?不能删除对SOAP Web服务进行SAML身份验证的旧安全框架的使用。

1 个答案:

答案 0 :(得分:0)

想出来。 配置Spring Security时,在WebSecurityConfigurerAdapter中,您还可以覆盖:

protected void configure(WebSecurity web).

在这一个中,您可以指定要忽略的内容。 E.g:

web.ignoring().antMatchers("/ws/**");
相关问题
最新问题