我有一个 Spring Boot - Theme Leaf - Shiro 应用程序
我已经看过以下示例
春季启动 - spring-security - pac4j-saml sso https://github.com/pac4j/spring-security-pac4j-boot-demo
Shiro Web 应用程序 - buji-pac4j https://github.com/pac4j/buji-pac4j-demo
我想做的是两全其美。我想将 Shiro 用于 RBAC,并使用 buji-pac4j 进行身份验证,通过 SAML SSO 进行身份验证。
我没有找到任何文档来实现相同的目标。以下是我所做的,请指导我正确设置。
//in WebConfig .java i have following
public class WebConfig extends WebMvcConfigurerAdapter {
@Bean("samlConfig")
public Config config() {
final SAML2Configuration cfg = new SAML2Configuration ("resource:samlKeystore.jks",
"pac4j-demo-passwd",
"pac4j-demo-passwd",
"resource:metadata-okta.xml");
cfg.setMaximumAuthenticationLifetime(3600);
cfg.setServiceProviderEntityId("https://localhost/callback?client_name=SAML2Client");
cfg.setServiceProviderMetadataPath("sp-metadata.xml");
cfg.setAuthnRequestBindingType(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
final SAML2Client saml2Client = new SAML2Client(cfg);
final Clients clients = new Clients("https://localhost/callback", saml2Client);
final Config config = new Config(clients);
config.addAuthorizer("custom", new CustomAuthorizer()); // this same as in example buji-pac4j-demo
return config;
}
}
//In WebSecurityConfig.java i have following
public class WebSecurityConfig {
@Autowired
private Config samlConfig;
@Bean(name = "shiroFilter")
public AbstractShiroFilter shiroFilter() throws Exception {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
HashMap<String, String> filterChainDefinitionMapping = new HashMap<String,String>();
filterChainDefinitionMapping.put("/*", "anon");
filterChainDefinitionMapping.put("/login", "anon");
filterChainDefinitionMapping.put("/forgotPwd", "anon");
filterChainDefinitionMapping.put("/resetPwd", "anon");
filterChainDefinitionMapping.put("/logout", "logout");
filterChainDefinitionMapping.put("/**", "authc,ssl");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMapping);
shiroFilterFactoryBean.setSecurityManager(securityManager());
final SecurityFilter bujiFilter = new SecurityFilter();
bujiFilter.setConfig(samlConfig);
bujiFilter.setClients("Saml2Client");
HashMap<String, Filter> filters = new HashMap<>();
filters.put("anon", new AnonymousFilter());
filters.put("authc", bujiFilter);
LogoutFilter logoutFilter = new LogoutFilter();
logoutFilter.setRedirectUrl("/logout");
filters.put("logout", logoutFilter);
filters.put("roles", new RolesAuthorizationFilter());
filters.put("user", new UserFilter());
shiroFilterFactoryBean.setFilters(filters);
return (AbstractShiroFilter) shiroFilterFactoryBean.getObject();
}
/* i was previously using Shiro Authentication, hence the below code is there , now i want to do SAML SSO*/
@Bean(name = "customRealm")
@DependsOn("lifecycleBeanPostProcessor")
public CustomRealm customRealm() {
CustomRealm realm = new CustomRealm();
HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();
credentialsMatcher.setHashAlgorithmName(Sha256Hash.ALGORITHM_NAME);
credentialsMatcher.setStoredCredentialsHexEncoded(false);
credentialsMatcher.setHashSalted(true);
realm.setCredentialsMatcher(credentialsMatcher);
realm.init();
return realm;
}
@Bean(name = "securityManager")
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(customRealm());
return securityManager;
}
}
现在,当我访问任何受保护的资源时,例如https://localhost/protected/home 而不是将我带到 IDP 登录 (okta),例如https://github.com/pac4j/buji-pac4j-demo ; 应用程序重定向到默认 Shiro Auth url https://localhost/login.jsp
我在这里缺少什么,我在 shiroFilter 中的配置是否错误?如果是这样,正确的方法是什么?