下面是我的安全配置。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/**").authenticated()
.and()
.csrf().disable()
.formLogin().disable()
.requestCache().requestCache(new NullRequestCache());
}
我也有这样的saml安全配置。
@Override
protected SamlServerConfiguration getDefaultHostSamlServerConfiguration() {
SamlServerConfiguration samlServerConfiguration = new SamlServerConfiguration();
LocalServiceProviderConfiguration serviceProvider = getLocalServiceProviderConfiguration();
samlServerConfiguration.setServiceProvider(serviceProvider);
return samlServerConfiguration;
}
@Override
public Filter spAuthenticationResponseFilter() {
SamlAuthenticationResponseFilter filter = (SamlAuthenticationResponseFilter)
super.spAuthenticationResponseFilter();
filter.setAuthenticationSuccessHandler(samlSuccessHandler);
filter.setAuthenticationFailureHandler(samlFailureHandler);
filter.setAuthenticationManager(new SamlAuthenticationManager());
return filter;
}
private LocalServiceProviderConfiguration getLocalServiceProviderConfiguration() {
LocalServiceProviderConfiguration serviceProvider = new LocalServiceProviderConfiguration();
serviceProvider.setSignRequests(true);
serviceProvider.setSignMetadata(true);
serviceProvider.setSingleLogoutEnabled(true);
serviceProvider.setWantAssertionsSigned(true);
serviceProvider.setSignMetadata(true);
serviceProvider.setEntityId(entityId);
serviceProvider.setKeys(rotatingKeys());
serviceProvider.setBasePath(basePath);
serviceProvider.setAlias(alias);
serviceProvider.setNameIds(getBaseNameIds());
serviceProvider.setProviders(Collections.singletonList(externalProvider(idpMetadata, idpAlias)));
return serviceProvider;
}
下面是saml故障处理程序(这是行不通的)。请注意,我也尝试了SimpleUrlAuthenticationFailureHandler
,就像我在下面尝试AuthenticationFailureHandler
一样。但是它们都不按以下说明工作。
@Component
public class SamlFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
response.sendRedirect("some failure redirect url");
}
}
下面是saml成功处理程序(不必担心,因为它正在工作)。只是粘贴以供参考。
@Component
@Slf4j
public class SamlSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws ServletException, IOException {
getRedirectStrategy().sendRedirect(request, response, "some redirect url");
}
}
为简便起见, 已删除额外的代码(例如实例字段等)。我也有一个实现AuthenticationManager
的类,但是只有在成功的情况下才需要这样做,所以我不在这里添加。
现在,我尝试直接点击网址,而不是来自身份提供商。但是,它没有到达我的SamlFailureHandler
(我上面粘贴了)。它达到称为Http403ForbiddenEntryPoint
的类。根据{{3}}为此Http403ForbiddenEntryPoint
如果用户被AbstractPreAuthenticatedProcessingFilter拒绝,则会调用此方法,从而导致身份验证为空。
但是AbstractPreAuthenticatedProcessingFilter
中的调试点也不会被触发。 spring docs是否正确或未更新?无论如何,我无法使失败处理程序正常工作,因为这个神秘的Http403ForbiddenEntryPoint
做到了这一点(从其来源):
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException arg2) throws IOException, ServletException {
if (logger.isDebugEnabled()) {
logger.debug("Pre-authenticated entry point called. Rejecting access");
}
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
}
TLDR; ;当我直接访问该URL时,它不会进入我的故障处理程序,而是会到达Http403ForbiddenEntryPoint
,这将抛出白标签页面。如何配置它,以便可以添加自定义故障处理程序逻辑。