Question

我使用Spring Security实现了SSO SAML。在我的Spring Boot项目中，我有以下控制器，它基本上将用户重定向到idP登录页面，然后根据成功登录生成JWT令牌。然后将此JWT令牌作为标头转发到索引页面。但我似乎无法使其正常工作。

Auth Controller，

@Controller
public class AuthController {

    private static final Logger log = LoggerFactory.getLogger(UserAccountResource.class);

    @Inject
    private TokenProvider tokenProvider;

    /**
     * Given that a user is already authenticated then generate a token
     *
     * @return the ResponseEntity with status 200 (OK) and with body of the updated {@link JWTToken} jwt token
     */
    @RequestMapping(value = "/auth/login")
    public String login(HttpServletResponse response) throws Exception {
        final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            throw new UnauthorizedException();
        } else {
            try {
                final SAMLCredential credential = (SAMLCredential) authentication.getCredentials();
                final DateTime dateTime = credential.getAuthenticationAssertion()
                        .getIssueInstant()
                        .toDateTime(DateTimeZone.forTimeZone(TimeZone.getDefault()));
                String jwt = tokenProvider.createToken(authentication, dateTime.getMillis(), false);
                response.addHeader(JWTConfigurer.AUTHORIZATION_HEADER, "Bearer " + jwt);
                log.debug("Generated jwt {}", jwt);
                log.debug("SAMLCredential {}", credential);
                return "forward:/";
            } catch (Exception e) {
                throw new UnauthorizedException(e);
            }
        }
    }
}

WebMvcConfigurerAdapter如下，

@Configuration("webConfigurer")
public class WebConfigurer extends WebMvcConfigurerAdapter {

    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/").setViewName("forward:/index.html");
    }
}

就SAMO的SSO而言，一切都很顺利。用户被重定向到idP登录e.t.c.我无法弄清楚forward无法按预期工作的原因。

我的所有用户界面（Angular 4.x）均以index.html启动。

当我测试这个时，我可以看到它被转发到/但是没有标题可以通过。

Answer 1

我最终做的是将登录和jwt生成分成两个API调用，这些调用很有效。

@GetMapping("/login")
public String samlLogin() throws Exception {
    final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    if (authentication == null) {
        throw new UnauthorizedException("Unable to get the SAML authentication information");
    } else {
        try {
            final SAMLCredential credential = (SAMLCredential) authentication.getCredentials();
            if (credential == null) {
                throw new UnauthorizedException("Not valid SAML credentials");
            }
            return "forward:/";
        } catch (Exception e) {
            throw new UnauthorizedException(e);
        }
    }
}

@GetMapping("/jwt")
public ResponseEntity<String> generateJWT(HttpServletResponse response) throws Exception {
    final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    if (authentication == null) {
        throw new UnauthorizedException("Unable to get the SAML authentication information");
    } else {
        try {
            final SAMLCredential credential = (SAMLCredential) authentication.getCredentials();
            if (credential == null) {
                throw new UnauthorizedException("Not valid SAML credentials");
            }
            final DateTime dateTime = credential.getAuthenticationAssertion()
                    .getIssueInstant()
                    .toDateTime(DateTimeZone.forTimeZone(TimeZone.getDefault()));
            String jwt = tokenProvider.createToken(authentication, dateTime.getMillis(), false);
            response.addHeader(JWTConfigurer.AUTHORIZATION_HEADER, "Bearer " + jwt);
            log.debug("Generated jwt {} for SAML authentication", jwt);
            return new ResponseEntity<>(jwt, HttpStatus.OK);
        } catch (Exception e) {
            throw new UnauthorizedException(e);
        }
    }
}

验证后的Spring Boot渲染索引页面

1 个答案: