我必须在现有的网络应用程序中实现saml。我使用Spring安全性进行自定义身份验证和基于角色的授权。但面临实施授权的困难,从春季安全转向基于saml。我有2个上下文xml。以下是我的上下文xml文件。
弹簧安全-config.xml中
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<http pattern="/index*" security="none" />
<http pattern="/resources/**" security="none" />
<http pattern="/cms-resources/**" security="none" />
<http auto-config="true" use-expressions="true" disable-url-rewriting="true">
<intercept-url pattern="/login*" access="permitAll" />
<intercept-url pattern="/Index*"
access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST') or hasAuthority('SELFCARE')" />
<intercept-url pattern="/mlurl*"
access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/masterConfig*"
access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/fileUploadConfig*"
access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/fileUpload*"
access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/redisupload*"
access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/fileUploadRedis*"
access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/uploadlocal"
access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/fileuploadlocal"
access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/filepublish*" access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/filetrain*" access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/fileread*" access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/updatehdfsFile*" access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/filedelete*" access="hasAuthority ('ADMIN')" />
<intercept-url pattern="/createmodel*" access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/selectmodel*" access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/deletemodel*" access="hasAuthority ('ADMIN')" />
<intercept-url pattern="/createskill*" access="hasAuthority ('ADMIN')" />
<intercept-url pattern="/selectskill*" access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/deleteskill*" access="hasAuthority ('ADMIN')" />
<intercept-url pattern="/addintent*" access="hasAuthority ('ADMIN')" />
<intercept-url pattern="/deleteintent*" access="hasAuthority ('ADMIN')" />
<intercept-url pattern="/trainingdata*" access="hasAuthority ('ADMIN')" />
<intercept-url pattern="/addtrainingdata*" access="hasAuthority ('ADMIN')" />
<intercept-url pattern="/edittrainingdata*" access="hasAuthority('ADMIN')" />
<intercept-url pattern="/deletetrainingdata*" access="hasAuthority('ADMIN')" />
<intercept-url pattern="/ml*" access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST') or hasAuthority('SELFCARE')" />
<intercept-url pattern="/serverStatus*" access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/configureservers*" access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/serverdata*" access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/scheduledtask*" access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/deleteserver*" access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/base64*"
access="hasAuthority('ADMIN') or hasAuthority('DATA-SCIENTIST')" />
<intercept-url pattern="/diagnostics*"
access="hasAuthority('SELFCARE') or hasAuthority('ADMIN') or hasAuthority('DATA-SCIENTIST') or hasAuthority('CUSTOMER-CARE')" />
<intercept-url pattern="/diagnosticsdata*"
access="hasAuthority('SELFCARE') or hasAuthority('ADMIN') or hasAuthority('DATA-SCIENTIST') or hasAuthority('CUSTOMER-CARE')" />
<intercept-url pattern="/refreshdiagnostics*"
access="hasAuthority('ADMIN') or hasAuthority('DATA-SCIENTIST') or hasAuthority('SELFCARE')" />
<intercept-url pattern="/adminDashboard*" access="hasAuthority('ADMIN')" />
<intercept-url pattern="/assignroles*" access="hasAuthority('ADMIN')" />
<intercept-url pattern="/dagstructure*" access="hasAuthority('ADMIN')" />
<intercept-url pattern="/dag/fileupload*" access="hasAuthority('ADMIN')" />
<intercept-url pattern="/dag/filedownload*" access="hasAuthority('ADMIN')" />
<intercept-url pattern="/logout*" access="permitAll" />
<intercept-url pattern="/**" access="hasAuthority('SELFCARE') or hasAuthority('ADMIN') or hasAuthority('DATA-SCIENTIST') " />
<!-- isAuthenticated() -->
<form-login login-page="/login" authentication-failure-url="/login"
authentication-success-handler-ref="myAuthenticationSuccessHandler"
username-parameter="username" password-parameter="password" />
<form-login login-page="/login" authentication-failure-url="/login"
username-parameter="username" password-parameter="password" />
<logout delete-cookies="JSESSIONID" invalidate-session="true" logout-success-url="/"
/> <access-denied-handler error-page="/login" />
<!-- <csrf disabled="true" /> -->
</http>
<!-- <global-method-security pre-post-annotations="enabled">
<expression-handler ref="expressionHandler" />
</global-method-security> -->
<!-- <authentication-manager>
<authentication-provider ref="customeAuthenticatorProvider" />
</authentication-manager>
-->
<!-- Enable permission evaluator in annotation -->
<!-- <beans:bean id="expressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="customPermissionEvaluator" />
</beans:bean> -->
<!-- <beans:bean id="customeAuthenticatorProvider"
class="com.ril.ml.config.CustomeAuthenticatorProvider" /> -->
<!-- <beans:bean id="customPermissionEvaluator"
class="com.ril.ml.config.CustomPermissionEvaluator" /> -->
<!-- <beans:bean id="myAuthenticationSuccessHandler"
class="com.ril.ml.config.MySimpleUrlAuthenticationSuccessHandler" /> -->
</beans:beans>
还找到我的springContext.xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- Enable auto-wiring -->
<context:annotation-config/>
<!-- Scan for auto-wiring classes in spring saml packages -->
<context:component-scan base-package="org.springframework.security.saml"/>
<!-- Unsecured pages -->
<security:http security="none" pattern="/favicon.ico"/>
<security:http security="none" pattern="/images/**"/>
<security:http security="none" pattern="/css/**"/>
<security:http security="none" pattern="/logout.jsp"/>
<!-- Security for the administration UI -->
<security:http pattern="/saml/web/**" use-expressions="false">
<security:access-denied-handler error-page="/saml/web/metadata/login"/>
<security:form-login login-processing-url="/saml/web/login" login-page="/saml/web/metadata/login" default-target-url="/saml/web/metadata"/>
<security:intercept-url pattern="/saml/web/metadata/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/saml/web/**" access="ROLE_ADMIN"/>
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<!-- <security:intercept-url pattern="/login*" access="permitAll" />
<security:intercept-url pattern="/Index*"
access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST') or hasAuthority('SELFCARE')" />
<security:intercept-url pattern="/mlurl*"
intercept-url pattern="/addtrainingdata*" access="hasAuthority ('ADMIN')" />
<security:intercept-url pattern="/edittrainingdata*" access="hasAuthority('ADMIN')" />
<security:intercept-url pattern="/deletetrainingdata*" access="hasAuthority('ADMIN')" />
<security:intercept-url pattern="/ml*" access="hasAuthority ('ADMIN') or hasAuthority('DATA-SCIENTIST') or hasAuthority('SELFCARE')" />
<security:intercept-url pattern="/serverStatus*" access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<security:intercept-url pattern="/configureservers*" access="hasAuthority ('ADMIN') or hasAuthority('SELFCARE') or hasAuthority('DATA-SCIENTIST')" />
<security:intercept-url pattern="/logout*" access="permitAll" />
<security:intercept-url pattern="/**" access="hasAuthority('SELFCARE') or hasAuthority('ADMIN') or hasAuthority('DATA-SCIENTIST') " />
-->
</security:http>
<!-- <security:global-method-security pre-post-annotations="enabled">
<security:expression-handler ref="expressionHandler" />
</security:global-method-security> -->
<!-- Secured pages with SAML as entry point -->
<security:http auto-config="true" entry-point-ref="samlEntryPoint" use-expressions="false">
<security:csrf disabled="true"/>
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<!-- <security:intercept-url pattern="/adminDashboard*" access="hasAuthority('ADMIN')" /> -->
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
<!-- Filters for processing of SAML messages -->
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
<security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
<security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
<security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
<security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
<security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
<security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
</security:filter-chain-map>
</bean>
<!-- Handler deciding where to redirect user after successful login -->
<bean id="successRedirectHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/"/>
</bean>
<!-- Handler deciding where to redirect user after failed login -->
<bean id="failureRedirectHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="useForward" value="true"/>
<property name="defaultFailureUrl" value="/error.jsp"/>
</bean>
<!-- Handler for successful logout -->
<bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/logout.jsp"/>
</bean>
<security:authentication-manager id="authenticationManager">
<!-- Register authentication manager for SAML provider -->
<security:authentication-provider ref="samlAuthenticationProvider"/>
<!-- Register authentication manager for administration UI -->
<security:authentication-provider>
<security:user-service id="adminInterfaceService">
<security:user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<!-- Logger for SAML messages and events -->
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
<!-- Enable these to see the actual SAML Messages in logs -->
<!-- <property name="logAllMessages" value="true"/> -->
<!-- <property name="logErrors" value="true"/> -->
<!-- <property name="logMessagesOnException" value="true"/> -->
</bean>
<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg value="classpath:security/samlKeystore.jks"/>
<constructor-arg type="java.lang.String" value="nalle123"/>
<constructor-arg>
<map>
<entry key="apollo" value="nalle123"/>
</map>
</constructor-arg>
<constructor-arg type="java.lang.String" value="apollo"/>
</bean>
<!-- Entry point to initialize authentication, default values taken from properties file -->
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
</bean>
</property>
</bean>
<!-- IDP Discovery Service -->
<bean id="samlIDPDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<property name="idpSelectionPath" value="/WEB-INF/security/idpSelection.jsp"/>
</bean>
<!-- Filter automatically generates default SP metadata -->
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<!-- Configure HTTP Client to accept certificates from the keystore for HTTPS verification -->
<!--
<bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer">
<property name="sslHostnameVerification" value="default"/>
</bean>
-->
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<!-- Example of HTTP metadata without Extended Metadata -->
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<constructor-arg>
<value type="java.lang.String">IDP URL</value>
</constructor-arg>
<!-- Timeout for metadata loading in ms -->
<constructor-arg>
<value type="int">15000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
<!-- <property name="metadataTrustCheck" value="false"/> -->
</bean>
<!-- Example of file system metadata without Extended Metadata -->
<!--
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">/usr/local/metadata/idp.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
-->
</list>
</constructor-arg>
</bean>
<!-- SAML Authentication Provider responsible for validating of received SAML messages -->
<bean id="cs" class="com.ril.ml.config.samlAuthenticationProvider">
</bean>
<bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
<property name="userDetails" ref="cs" />
<!-- <property name="userDetails" ref="bean" /> -->
</bean>
<!-- bean id="customPermissionEvaluator" class="com.ril.ml.config.CustomPermissionEvaluator" />
<bean id="expressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="customPermissionEvaluator" />
</bean> -->
<!-- Provider of default SAML Context -->
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
<!-- Processing filter for WebSSO profile messages -->
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
</bean>
<!-- Processing filter for WebSSO Holder-of-Key profile -->
<bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="failureRedirectHandler"/>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="false"/>
</bean>
<!-- Override default logout processing filter with the one processing SAML messages -->
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
<constructor-arg index="2" ref="logoutHandler"/>
</bean>
<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg index="0" ref="successLogoutHandler"/>
<constructor-arg index="1" ref="logoutHandler"/>
</bean>
<!-- Class loading incoming SAML messages from httpRequest stream -->
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg>
<list>
<ref bean="redirectBinding"/>
<ref bean="postBinding"/>
<ref bean="artifactBinding"/>
<ref bean="soapBinding"/>
<ref bean="paosBinding"/>
</list>
</constructor-arg>
</bean>
<!-- SAML 2.0 WebSSO Assertion Consumer -->
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 Web SSO profile -->
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<!-- SAML 2.0 ECP profile -->
<bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>
<!-- SAML 2.0 Logout Profile -->
<bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
</bean>
<bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
<constructor-arg ref="parserPool"/>
<constructor-arg ref="velocityEngine"/>
<constructor-arg>
<bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
<constructor-arg>
<bean class="org.apache.commons.httpclient.HttpClient">
<constructor-arg>
<bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
</constructor-arg>
</bean>
</constructor-arg>
<property name="processor">
<bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg ref="soapBinding"/>
</bean>
</property>
</bean>
</constructor-arg>
</bean>
<bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
<constructor-arg ref="parserPool"/>
</bean>
<!-- Initialization of OpenSAML library-->
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- Initialization of the velocity engine -->
<bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
</beans>
我也在使用samlauthenticationProvider.java,其中定义了从角色获取用户的逻辑。我没有用户密码只是来自saml response.Role的用户密码我对来自roles.xlsx文件的用户名。授权部分将被实现。请看看xml文件,任何建议都会有所帮助。