spring - Spring Security SAML SSO 重定向到控制器
问题描述
在 IdP 启动的设置中使用代码片段重定向到控制器 (/bootstrap/v1):
public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler = new SavedRequestAwareAuthenticationSuccessHandler();
successRedirectHandler.setDefaultTargetUrl("/bootstrap/v1");
return successRedirectHandler;
}
控制器代码片段:
public class BootstrapController extends ParentController {
@RequestMapping(value = "/v1", method = RequestMethod.POST)
public ResponseEntity<BootstrapResponseDto> bootstrap(@RequestBody BootstrapRequestDto bootstrapRequestDto, @RequestHeader(value = "MAC-ADDRESS", required = false) String macAddress) {
myAppUserDetails userDetails = SecurityContextUtils.getUserDetails();
BootstrapResponseDto bootstrapResponseDto = new BootstrapResponseDto();
// some app specific logic goes here...
return new ResponseEntity<>(bootstrapResponseDto, HttpStatus.OK);
}
}
调试级别日志片段:
11-29-2018 13:33:53 e7a5edb2-4051-4132-bad0-856d58af1c7d ZDJhMWExYWUtZTAxNy00NDQwLWJmOTctNzcyNTJlOWUyNmQ2 信息 http-nio-8080-exec-6 Spring 安全调试器:
收到 POST '/saml/SSO' 的请求:
org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper@28cc5b21
servletPath:/saml/SSO pathInfo:null headers: host: localhost:8080 user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0 accept: text/html,application/ xhtml+xml,application/xml;q=0.9, / ;q=0.8 accept-language: en-US,en;q=0.5 accept-encoding: gzip, deflate content-type: application/x-www-form-urlencoded内容长度:11320 dnt:1 连接:保持活动 cookie:JSESSIONID=ZDJhMWExYWUtZTAxNy00NDQwLWJmOTctNzcyNTJlOWUyNmQ2 升级不安全请求:1
安全过滤器链: [ MetadataGeneratorFilter
WebAsyncManagerIntegrationFilter SecurityContextPersistenceFilter
CustomLogFilter HeaderWriterFilter LogoutFilter
UsernamePasswordAuthenticationFilter BasicAuthenticationFilter
FilterChainProxy RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter SessionManagementFilter
ExceptionTranslationFilter FilterSecurityInterceptor ]
2018 年 11 月 29 日 13:33:53 e7a5edb2-4051-4132-bad0-856d58af1c7d 信息 http-nio-8080-exec-6 oocbsSAMLProtocolMessageXMLSignatureSecurityPolicyRule:协议消息签名验证成功,消息类型:{urn:oasis:names:tc: SAML:2.0:protocol}响应 11-29-2018 13:33:53 e7a5edb2-4051-4132-bad0-856d58af1c7d ZDJhMWExYWUtZTAxNy00NDQwLWJmOTctNzcyNTJlOWUyNmQ2 INFO http-nio-8080-exec-7 Spring Security 调试器:
收到 GET '/bootstrap/v1' 的请求:
org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper@5f9e2aff
servletPath:/bootstrap/v1 pathInfo:null headers: host: localhost:8080 user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0 accept: text/html,application/ xhtml+xml,application/xml;q=0.9, / ;q=0.8 accept-language: en-US,en;q=0.5 accept-encoding: gzip, deflate dnt: 1 connection: keep-alive cookie: JSESSIONID=ZDJhMWExYWUtZTAxNy00NDQwLWJmOTctNzcyNTJlOWUyNmQ2升级不安全请求:1
安全过滤器链: [ MetadataGeneratorFilter
WebAsyncManagerIntegrationFilter SecurityContextPersistenceFilter
CustomLogFilter HeaderWriterFilter LogoutFilter
UsernamePasswordAuthenticationFilter BasicAuthenticationFilter
FilterChainProxy RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter SessionManagementFilter
ExceptionTranslationFilter FilterSecurityInterceptor ]
2018 年 11 月 29 日 13:33:53 e7a5edb2-4051-4132-bad0-856d58af1c7d 警告 http-nio-8080-exec-7 oswsPageNotFound:不支持请求方法“GET”
ExpiringUsernameAuthenticationToken 设置为返回:
org.springframework.security.providers.ExpiringUsernameAuthenticationToken@fee70636:主体:com.<my-company>.security.authentication.@325fcf8b;凭证:[受保护];已认证:真实;详细信息:空;授予权限:authority_1、authority_2、authority_3、authority_4
所以,我猜我的 SAML 验证和用户身份验证和授权很好。
似乎我面临的问题是 HTTP GET 无法正常工作。
如何配置和提交 HTTP POST?或者我应该重构我的控制器来处理行为(这可能会破坏基于表单的登录,这也是应用程序身份验证的一部分)?
解决方案
我相信这个问题与 SAML 完全无关,而是一个通用的 Spring Security 问题。此外,您没有指定正文 BootstrapRequestDto 的来源。
您有一个 SuccessHandler,它执行重定向:
successRedirectHandler.setDefaultTargetUrl("/bootstrap/v1");
这执行了一个GET
而且你有一个控制器只接受POST
. 你还没有具体说明那具尸体是从哪里来的?
您将需要编写一个发布帖子的自定义成功处理程序(可能是javascript自动提交表单?),或者只是将您的控制器更改为也接受GET。
public class BootstrapController extends ParentController {
@RequestMapping(value = "/v1", method = RequestMethod.GET)
public ResponseEntity<BootstrapResponseDto> bootstrap() {
myAppUserDetails userDetails = SecurityContextUtils.getUserDetails();
BootstrapResponseDto bootstrapResponseDto = new bootstrapResponseDto();
// some app specific logic goes here...
return new ResponseEntity<>(bootstrapResponseDto, HttpStatus.OK);
}
@RequestMapping(value = "/v1", method = RequestMethod.POST)
public ResponseEntity<BootstrapResponseDto> bootstrap(@RequestBody BootstrapRequestDto bootstrapRequestDto, @RequestHeader(value = "MAC-ADDRESS", required = false) String macAddress) {
myAppUserDetails userDetails = SecurityContextUtils.getUserDetails();
BootstrapResponseDto bootstrapResponseDto = new BootstrapResponseDto();
// some app specific logic goes here...
return new ResponseEntity<>(bootstrapResponseDto, HttpStatus.OK);
}
}
推荐阅读
- twitter-bootstrap - 移动视图上的引导导航栏单击按钮无法显示隐藏的链接
- machine-learning - 那个偶像是让每个数据在数量上完全相等以更好地进行机器学习吗?
- java - 我想在删除子字符串后删除空格
- azure-devops - gulp 任务在 azure devops ci 管道中失败
- python - 为什么 tkinter 不显示我的图像 (.gif)
- android - 安卓房间。如何获取查询返回的列没有字段的数据类
- c - 如何从c中的输出中删除最后一个字符
- php - 如何避免 PHP 构建的 RestAPI 中的重复调用?
- python - 如何检查用户输入是否在字典中
- python - 如何使用 Matplotlib 在 bin 之间的直方图中绘制垂直线?