我正在尝试使用angular2作为前端和spring boot作为REST后端来开发一个web应用程序。
我需要处理3种类型的身份验证: - 基本的登录/密码匹配数据库 - ldap身份验证 - sso身份验证
当用户通过身份验证,后端会生成一个JWT并发送给前端。所有请求都必须在标头中包含jwt才能与REST通信。
目前我的websecurity配置如下:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableTransactionManagement
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
private static final String LDAP_AUTHENTIFICATION = "ldap";
private static final String SSO_AUTHENTIFICATION = "sso";
@Autowired
private DataBaseAuthentificationProvider authProvider;
@Value("${ldap.provider.url}")
private String ldapProviderUrl;
@Value("${ldap.user.dn.patterns}")
private String userDnPatterns;
@Value("${authentification.type}")
private String authentificationType;
public WebSecurityConfiguration() {
/*
* Ignores the default configuration, useless in our case (session
* management, etc..)
*/
super(true);
}
/**
* Configure AuthenticationManagerBuilder to use the specified
* DetailsService.
*
* @param auth
* the {@link AuthenticationManagerBuilder} to use
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
if (StringUtils.equals(authentificationType, LDAP_AUTHENTIFICATION)) { // LDAP
auth.ldapAuthentication().userDnPatterns(userDnPatterns).contextSource().url(ldapProviderUrl);
} else if (StringUtils.equals(authentificationType, SSO_AUTHENTIFICATION)) { // SSO
} else { // Database
auth.authenticationProvider(authProvider);
}
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
/*
* Overloaded to expose Authenticationmanager's bean created by
* configure(AuthenticationManagerBuilder). This bean is used by the
* AuthenticationController.
*/
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
/*
* the secret key used to signe the JWT token is known exclusively by
* the server. With Nimbus JOSE implementation, it must be at least 256
* characters longs.
*/
String secret = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("secret.key"),
Charset.defaultCharset());
httpSecurity.addFilterAfter(jwtTokenAuthenticationFilter("/**", secret), ExceptionTranslationFilter.class)
.addFilterBefore(new SimpleCORSFilter(), CorsFilter.class)
/*
* Exception management is handled by the
* authenticationEntryPoint (for exceptions related to
* authentications) and by the AccessDeniedHandler (for
* exceptions related to access rights)
*/
.exceptionHandling().authenticationEntryPoint(new SecurityAuthenticationEntryPoint())
.accessDeniedHandler(new RestAccessDeniedHandler()).and()
/*
* anonymous() consider no authentication as being anonymous
* instead of null in the security context.
*/
.anonymous().and()
/* No Http session is used to get the security context */
.sessionManagement().sessionCreationPolicy(STATELESS).and().authorizeRequests()
/*
* All access to the authentication service are permitted
* without authentication (actually as anonymous)
*/
.antMatchers("/auth/**").permitAll()
/*
* All the other requests need an authentication. Role access is
* done on Methods using annotations like @PreAuthorize
*/
.anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf()
.csrfTokenRepository(csrfTokenRepository()).disable();
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN"); // this is the name angular
// uses by default.
return repository;
}
private JwtTokenAuthenticationFilter jwtTokenAuthenticationFilter(String path, String secret) {
return new JwtTokenAuthenticationFilter(path, secret);
}
关键点是SSO:
我想要的行为如下:
客户端请求受保护的REST资源:
- 如果用户已经通过OpenAM登录=>返回请求的资源
- 如果用户尚未登录=>用户将被重定向到OpenAM并提供其凭据 =>用户可以访问资源
首先,我在虚拟机上安装了OpenAM,创建了SAMLv2提供程序并获取了我的idp.xml。
我尝试使用https://github.com/vdenotaris/spring-boot-security-saml-sample添加SSO身份验证,但失败了。
是否有人能够给我提供步骤,以便将其集成到我的websecurity配置中?
谢谢!