我正在开发一个迄今为止仅支持 OAuth2 的身份验证模块。现在由于多个客户端的需求,还必须支持Saml2认证。
为了修复更改,我有一个从 WebSecurityConfigurerAdapter 扩展并接收初始登录请求的 BasicConfig 类。根据在该请求中发送的用户域,确定它是针对 Saml2 的身份验证还是通过 OAuth2 进行的身份验证,并将其转发给客户端以执行适当的身份验证。
为了通过 Saml2 或 Oauth2 管理身份验证,我有扩展 WebSecurityConfigurerAdapter 的 Saml2Config 和扩展 WebSecurityConfigurerAdapter 的 OAuth2Config。
问题是这两个类必须处理的请求过滤不当,模块不能正常工作。
每个元素必须管理的请求如下
BasicConfig: /auth/**
Saml2Config: /saml2/**
OAuth2Config /oauth2/**
事实是,在调整这些重定向时我有点迷茫,如果有人可以建议我如何调整它以使其正常工作,我很感激。
public class SecurityConfig {
@Configuration
@Order(1)
public class BasicConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors()
.and()
.authorizeRequests()
.antMatchers("/auth/**").permitAll();
}
}
@Configuration
@Order(2)
public class OAuth2Config extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf()
.disable()
.formLogin()
.disable()
.httpBasic()
.disable()
.exceptionHandling()
.authenticationEntryPoint(new RestAuthenticationEntryPoint())
.and()
// only allow access to specified URIs
.authorizeRequests()
.antMatchers("/auth/**","/oauth2/**","/public/**")
.permitAll()
// only allow access with fully authenticated requests
.anyRequest()
.fullyAuthenticated()
.and()
// configure OAuth2 login
.oauth2Login()
// configure token endpoint for hack
.tokenEndpoint()
.accessTokenResponseClient(getAccessTokenResponseClient())
.and()
// endpoint for authorization (the endpoint we expose and knows the third party to go to)
.authorizationEndpoint()
.baseUri(OAUTH2_AUTHORIZE_BASE_URI)
.authorizationRequestResolver(oauth2AuthorizationRequestResolver)
.authorizationRequestRepository(httpCookieOAuth2AuthorizationRequestRepository)
.and()
// endpoint for callback (where the third party service calls back after authenticating a user)
.redirectionEndpoint()
.baseUri("/oauth2/callback/*")
.and()
// the service to use
.userInfoEndpoint()
.userService(customOAuth2UserService)
.and()
.successHandler(oAuth2AuthenticationSuccessHandler)
.failureHandler(oAuth2AuthenticationFailureHandler);
// Add our custom Token based authentication filter
http.addFilterBefore(tokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
}
@Configuration
@Order(3)
public class Saml2Config extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
OpenSamlAuthenticationProvider authenticationProvider = new OpenSamlAuthenticationProvider();
authenticationProvider.setResponseAuthenticationConverter(responseToken -> {
Saml2Authentication authentication = OpenSamlAuthenticationProvider
.createDefaultResponseAuthenticationConverter()
.convert(responseToken);
Assertion assertion = responseToken.getResponse().getAssertions().get(0);
String username = assertion.getSubject().getNameID().getValue();
UserDetails userDetails = inMemoryUserDetailsManager().loadUserByUsername(username);
authentication.setDetails(userDetails);
return authentication;
});
http
.authorizeRequests()
.antMatchers("/auth/**","/oauth2/**","/public/**")
.permitAll()
// only allow access with fully authenticated requests
.anyRequest()
.fullyAuthenticated()
.and()
.saml2Login(saml2 -> saml2
.authenticationManager(new ProviderManager(authenticationProvider))
);
}
}
}