我有一个Spring Boot-主题叶-Shiro应用程序
我已经看到了以下示例
春季启动-春季安全性-pac4j-saml sso https://github.com/pac4j/spring-security-pac4j-boot-demo
Shiro Web应用程序-buji-pac4j https://github.com/pac4j/buji-pac4j-demo
我想做的就是两全其美。我想将Shiro用于RBAC,并将buji-pac4j用于身份验证,以通过SAML SSO进行身份验证。
我找不到任何文档可以达到相同目的。 以下是我所做的操作,请正确引导我进行设置。
//in WebConfig .java i have following
public class WebConfig extends WebMvcConfigurerAdapter {
@Bean("samlConfig")
public Config config() {
final SAML2Configuration cfg = new SAML2Configuration ("resource:samlKeystore.jks",
"pac4j-demo-passwd",
"pac4j-demo-passwd",
"resource:metadata-okta.xml");
cfg.setMaximumAuthenticationLifetime(3600);
cfg.setServiceProviderEntityId("https://localhost/callback?client_name=SAML2Client");
cfg.setServiceProviderMetadataPath("sp-metadata.xml");
cfg.setAuthnRequestBindingType(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
final SAML2Client saml2Client = new SAML2Client(cfg);
final Clients clients = new Clients("https://localhost/callback", saml2Client);
final Config config = new Config(clients);
config.addAuthorizer("custom", new CustomAuthorizer()); // this same as in example buji-pac4j-demo
return config;
}
}
//In WebSecurityConfig.java i have following
public class WebSecurityConfig {
@Autowired
private Config samlConfig;
@Bean(name = "shiroFilter")
public AbstractShiroFilter shiroFilter() throws Exception {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
HashMap<String, String> filterChainDefinitionMapping = new HashMap<String,String>();
filterChainDefinitionMapping.put("/*", "anon");
filterChainDefinitionMapping.put("/login", "anon");
filterChainDefinitionMapping.put("/forgotPwd", "anon");
filterChainDefinitionMapping.put("/resetPwd", "anon");
filterChainDefinitionMapping.put("/logout", "logout");
filterChainDefinitionMapping.put("/**", "authc,ssl");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMapping);
shiroFilterFactoryBean.setSecurityManager(securityManager());
final SecurityFilter bujiFilter = new SecurityFilter();
bujiFilter.setConfig(samlConfig);
bujiFilter.setClients("Saml2Client");
HashMap<String, Filter> filters = new HashMap<>();
filters.put("anon", new AnonymousFilter());
filters.put("authc", bujiFilter);
LogoutFilter logoutFilter = new LogoutFilter();
logoutFilter.setRedirectUrl("/logout");
filters.put("logout", logoutFilter);
filters.put("roles", new RolesAuthorizationFilter());
filters.put("user", new UserFilter());
shiroFilterFactoryBean.setFilters(filters);
return (AbstractShiroFilter) shiroFilterFactoryBean.getObject();
}
/* i was previously using Shiro Authentication, hence the below code is there , now i want to do SAML SSO*/
@Bean(name = "customRealm")
@DependsOn("lifecycleBeanPostProcessor")
public CustomRealm customRealm() {
CustomRealm realm = new CustomRealm();
HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();
credentialsMatcher.setHashAlgorithmName(Sha256Hash.ALGORITHM_NAME);
credentialsMatcher.setStoredCredentialsHexEncoded(false);
credentialsMatcher.setHashSalted(true);
realm.setCredentialsMatcher(credentialsMatcher);
realm.init();
return realm;
}
@Bean(name = "securityManager")
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(customRealm());
return securityManager;
}
}
现在,当我访问任何受保护的资源时,例如https://localhost/protected/home 而不是像https://github.com/pac4j/buji-pac4j-demo的示例那样带我进入IDP登录(确定);该应用程序重定向到默认的Shiro身份验证网址https://localhost/login.jsp
我在这里缺少什么,我在shiroFilter中的配置是否错误?如果是这样,正确的方法是什么?