0

我在我spring-security-saml2-service-provider的一个 Spring Boot 应用程序中使用身份验证,并且在另一个 Spring Boot 应用程序中使用自定义JwtAuthorizationFilter(通过 http Authentication 标头)。

他们俩都可以自己完美地工作。

现在我需要编写一个同时使用它们的 Spring Boot 应用程序。如果 JWT 令牌可用(身份验证标头),则使用JwtAuthorizationFilter,否则使用saml2Login.

SAML2配置如下所示:(没有过滤器,只有saml2Login

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
            .antMatcher("/**").authorizeRequests()
            .antMatchers("/saml2/service-provider-metadata/**").permitAll()
            .antMatchers("/**").authenticated().and()

            // use SAML2
            .saml2Login()
            .addObjectPostProcessor(new ObjectPostProcessor<OpenSamlAuthenticationProvider>() {
                public <O extends OpenSamlAuthenticationProvider> O postProcess(O samlAuthProvider) {
                    samlAuthProvider.setAuthoritiesExtractor(authoritiesExtractor());
                    samlAuthProvider.setAuthoritiesMapper(authoritiesMapper());
                    return samlAuthProvider;
                }
            })
        ;
    }

JWT配置如下所示:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
            .antMatcher("/**").authorizeRequests()
            .antMatchers("/**").authenticated().and()

            // use JWT
            .addFilter(new JwtAuthorizationFilter(authenticationManager(), jwtUtil))
        ;
    }

我想我需要类似的东西,JwtOrSaml2AuthenticationFilter但不知道该怎么做。

4

1 回答 1

0

解决方案是

  1. 使用@Order 复制配置并

  2. 在 addFilter 之前设置一个基于 header 的 requestMatcher

    @EnableWebSecurity
public class SecurityConfiguration {
    @Order(100) // lower number = higher priority
    @Configuration
    @RequiredArgsConstructor
    public static class AppSecurityJWT extends WebSecurityConfigurerAdapter {
        final JWTUtil jwtUtil;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
                .antMatcher("/**").authorizeRequests()
                .antMatchers("/saml2/service-provider-metadata/**", "/idm-app/**").permitAll()
                .antMatchers("/**").authenticated().and()

                // This configuration will only be active if the Authorization header is present in the request
                .requestMatcher(new RequestHeaderRequestMatcher("Authorization")).addFilter(new JwtAuthorizationFilter(authenticationManager(), jwtUtil))
            ;
        }
    }

    @Order(101)
    @Configuration
    @RequiredArgsConstructor
    public static class AppSecuritySAML2 extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()
                .antMatcher("/**").authorizeRequests()
                .antMatchers("/saml2/service-provider-metadata/**", "/idm-app/**").permitAll()
                .antMatchers("/**").authenticated().and()

                // This whole configuration will only be active, if the previous (100) didn't match
                .saml2Login()
                //...
        ;
    }
}
于 2020-04-25T09:32:54.057 回答