更改 Spring Security SAML2 登录的 URL

我有一个具有多种身份验证类型的应用程序(即基本和特殊的预授权登录)。我正在尝试在我的安全配置中添加 SAML2 RelyingParty 注册,我正在尝试从以下位置更改默认路径:

/login/saml2/sso/{registrationId}/auth/saml2/{registrationId}

所以,我有以下设置:

    public RelyingPartyRegistration provder1RelyingPartyRegistration() {

        RelyingPartyRegistration registration = RelyingPartyRegistrations
                .fromMetadataLocation("classpath:provider1/metadata.xml")
                .registrationId("provider1")
                .assertionConsumerServiceLocation("{baseUrl}/auth/saml2/{registrationId}")
                .build();

        return registration;
    }

    // @Bean
    public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {

        Collection<RelyingPartyRegistration> registrations = Collections.unmodifiableList(Arrays.asList(provider1RelyingPartyRegistration()));

        InMemoryRelyingPartyRegistrationRepository repository = new InMemoryRelyingPartyRegistrationRepository(registrations);

        return repository;
    }

// fluff

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        final RequestMatcher filterRequestMatcher = new OrRequestMatcher(
                new AntPathRequestMatcher("/auth/basic"),
                new AntPathRequestMatcher("/auth/preauth")
        );

        ApplicationAuthenticationProcessingFilter filter = new ApplicationAuthenticationProcessingFilter(filterRequestMatcher, authenticationManagerBean());
        filter.setAuthenticationSuccessHandler(successHandler());
        filter.setAuthenticationFailureHandler(failureHandler());

        http
                .authorizeRequests()
                .antMatchers("/**").permitAll()
                .and()
                .addFilterAfter(filter, LogoutFilter.class)
                // fluff
                .and()
        .saml2Login()
            .relyingPartyRegistrationRepository(relyingPartyRegistrationRepository())
            .loginProcessingUrl("/auth/saml2/{registrationId}")
        ;
    }

不幸的是,我明白了:

14 Dec 10:55:34  WARN [https-openssl-nio-127.0.0.1-444-exec-2] (DispatcherServlet.java:1278) - No mapping for POST /svc/auth/saml2/provider1

谁能告诉我试图改变这条路我做错了什么?我的应用程序不使用 Spring Boot,所以我坚持手动配置。

编辑

一些调试导致这在 Saml2LoginConfigurer 中出现了这一行:

            Map<String, String> providerUrlMap = getIdentityProviderUrlMap(
                    this.authenticationRequestEndpoint.filterProcessingUrl, this.relyingPartyRegistrationRepository);

不知何故,有一个默认的 authenticationRequestEndpoint (因为我没有定义一个)将 filterProcessingUrl 设置为 /saml2/authenticate/{registrationId} 的值。那么,我该如何覆盖它呢?

stack overflow Altering URL for Spring Security SAML2 Login
原文答案

答案:

作者头像

loginProcessingUrl 由断言方在认证成功后调用,请求中包含 SAMLResponse 参数。

您要更改的是处理身份验证请求的 URL(创建 SAMLRequest 并发送给断言方),这是由 Saml2WebSsoAuthenticationRequestFilter 类完成的。要更改 redirectMatcher ,您必须提供 ObjectPostProcessor ,请参阅 this issue

ObjectPostProcessor<Saml2WebSsoAuthenticationRequestFilter> processor = new ObjectPostProcessor<>() {
        @Override
        public <O extends Saml2WebSsoAuthenticationRequestFilter> O postProcess(O filter) {
            filter.setRedirectMatcher(new AntPathRequestMatcher("/my/custom/url"));
            return filter;
        }
};
http.saml2Login().addObjectPostProcessor(processor);

查看 SAML 2.0 Login Overview 以了解有关流程的更多详细信息。