我刚刚在Spring Web应用程序中添加了SAML作为身份验证的替代方法。当存在新的SAML Web安全适配器时,尝试到达/ j_spring_security_check时我收到404。一旦我注释掉此适配器,它就可以正常运行。我想念什么?
这是我用于SAML身份验证的新WebSecurityConfigurerAdapter。
@Configuration
@Order(1)
public class SamlAuthAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(samlAuthenticationProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(samlEntryPoint());
http
.csrf()
.disable();
http
.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
http.authorizeRequests()
.antMatchers("/saml**", "/saml/**")
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/sml**", "/sml/**")
.fullyAuthenticated();
}
}
这是我的API安全适配器。在添加SAML之前就已经存在并且可以正常工作。
@Configuration
@Order(2)
public static class ApiLoginWebSecurityConfigurationAdapter extends
WebSecurityConfigurerAdapter {
@Autowired
private Http403ForbiddenEntryPoint forbiddenEntryPoint;
@Bean
public Http403ForbiddenEntryPoint forbiddenEntryPoint() {
return new Http403ForbiddenEntryPoint();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.antMatcher("/api/**")
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.httpBasic()
.authenticationEntryPoint(forbiddenEntryPoint)
.and()
.csrf().disable()
.headers()
.cacheControl()
.httpStrictTransportSecurity()
.contentTypeOptions()
.xssProtection()
.addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","default-src 'self'"))
.addHeaderWriter(new StaticHeadersWriter("X-WebKit-CSP","default-src 'self'"))
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN));
// @formatter:on
}
}
最后这是我的主要Web安全适配器,当不存在SAML安全适配器时,它可以完美工作。
@Configuration
@Order(3)
public static class FormLoginWebSecurityConfigurationAdapter extends
WebSecurityConfigurerAdapter {
@Autowired
AuthFailureHandler authFailureHandler;
@Autowired
AuthSuccessHandler authSuccessHandler;
@Autowired
private LoginUrlAuthenticationEntryPoint loginEntryPoint;
@Autowired
ConstituoLogoutHandler logoutHandler;
@Bean
public LoginUrlAuthenticationEntryPoint loginEntryPoint() {
return new LoginUrlAuthenticationEntryPoint("/login");
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/css/**", "/manifest/**", "/images/**", "/js/**", "/webjars/**",
"/login/**", "/session/**", "/public/**", "/register/**", "/unsubscribe/**", "/help/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/j_spring_security_check")
.usernameParameter("username")
.passwordParameter("password")
.failureHandler(authFailureHandler)
.successHandler(authSuccessHandler)
.permitAll()
.and()
.logout()
.logoutUrl("/j_spring_security_logout")
.addLogoutHandler(logoutHandler)
.logoutSuccessUrl("/login")
.invalidateHttpSession(true)
// .deleteCookies(cookieNamesToClear)
.and()
.httpBasic().authenticationEntryPoint(loginEntryPoint)
.and()
.csrf().disable()
.headers()
.cacheControl()
.httpStrictTransportSecurity()
.contentTypeOptions()
.xssProtection()
.addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","default-src 'self'"))
.addHeaderWriter(new StaticHeadersWriter("X-WebKit-CSP","default-src 'self'"))
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN));
// @formatter:on
}
}