将Spring SAML与Oauth2集成,用于REST API访问的令牌

时间:2018-01-18 08:51:09

标签: java spring-security spring-security-oauth2 spring-saml

将Spring SAML与Oauth2令牌集成以进行REST API访问

使用Spring SAML Extension我可以配置SAML身份验证并能够将断言恢复到SP, 遵循link

现在,它将返回到此" / landing",并在SAMLUserDetailsS​​ervice和SAMLAuthenticationProvider中获取断言和身份验证对象,在SAMLUserDetailsS​​ervice中填充UserDetails对象。 

@Bean
    public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
        SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler =
                new SavedRequestAwareAuthenticationSuccessHandler();
        successRedirectHandler.setDefaultTargetUrl("/landing");
        return successRedirectHandler;
    }

现在我的问题是,如何生成Auth令牌?从这一点来看,没有太多细节可用  到目前为止我试过,  创建自定义过滤器,拦截" / landing"并尝试将URL修改为/ oauth / token?grant_type = urn:ietf:params:oauth:grant-type:saml2-bearer& assertion = AssertionToBase64Url(followed),  但无法生成令牌。 我目前的配置,带有oauth实现的Spring安全性和spring saml也是独立工作的,所以现在我想联合使用这两个功能。

我的ResourceServerConfiguration.java 

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    private static final String RESOURCE_ID = "my_rest_api";

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.resourceId(RESOURCE_ID).stateless(false);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.
        anonymous().disable()
        .requestMatchers().antMatchers("/user/**")
        .and().authorizeRequests()
        .antMatchers("/user/**").access("hasRole('ADMIN')")
        .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
    }

}

我的AuthorizationServerConfiguration.java 

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    private static String REALM="MY_OAUTH_REALM";

    @Autowired
    private TokenStore tokenStore;

    @Autowired
    private UserApprovalHandler userApprovalHandler;

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {

        clients.inMemory()
            .withClient("my-trusted-client")
            .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
            .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
            .scopes("read", "write", "trust")
            .secret("secret")
            .accessTokenValiditySeconds(120).//Access token is only valid for 2 minutes.
            refreshTokenValiditySeconds(600);//Refresh token is only valid for 10 minutes.
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
                .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.realm(REALM+"/client");
    }

}

任何人都可以建议,如何整合这个,以便进行身份验证 从IDP成功断言(授权部分完成)后,IDP将返回到SP,将生成一个auth访问,刷新令牌,该令牌用户可以访问api。任何人都可以提供某种解决方案......

1 个答案:

答案 0 :(得分:0)

前段时间我遇到了同样的挑战,在搞清楚之后我写了一篇文章(这里不能发布......)。基本上,您的oAuth授权服务器是一个“桥梁”,可以使您的SAML后端适应oAuth,反之亦然......在此处找到它:

How-to-integrate-Spring-oAuth-with-Spring-SAML

GitHub中还有一个包含所有来源的回购,例如:

https://github.com/OhadR/spring-oAuth2-SAML-integration

我知道它只是链接,但又一次 - 文章太长而详细。

相关问题
最新问题