Can I integrate Shibboleth SSO in my Java Webapp without using Apache and shibd?

陌路散爱 提交于 2019-12-21 17:41:40

问题


I'm working on a pure Java web application that uses an embedded Jetty and I want to integrate a Shibboleth login. To do this, I'm following switch.ch's guide for Shibboleth Service Provider Deployment, which states:

The Shibboleth Service Provider consists of a daemon shibd running on all major operating systems and a web server module mod_shib which is natively supported by:

  • Apache web servers (versions 1.3.x, 2.x)
  • IIS (versions 6, 7 and 8)

My question is, is there a way to integrate Shibboleth SSO in my Java web application without using an Apache web server or IIS running shibd? Maybe somebody has done this before and could provide example Servlets/Filters or the like?

I don't want an Webserver in front of the application just for Shibboleth, because it would complicate the installation. Currently, the installation is just two steps: extract the artefact and run the start script and I would appreciate if I could keep it like this.


回答1:


The Shibboleth Service Provider takes care of a lot of complex use cases like key rotation, metadata refreshing, and attribute re-mapping. If you have an incredibly simple use case, where you need to authenticate users from one Shibboleth Identity Provider that rarely changes, you can consider validating the SAML 2.0 assertion in your Java code directly.

If you use spring-security already, you should probably start by looking at the spring-security-saml project:

http://projects.spring.io/spring-security-saml/

Alternatively, you can start with a low-level library like OpenSAML (https://wiki.shibboleth.net/confluence/display/OpenSAML/Home) or you can start with a higher level library like the LastPass Java SAML SDK (https://github.com/lastpass/saml-sdk-java).




回答2:


Putting shibboleth sp with web server in front is the easiest way out. Additionally you can add servlet filter and check header , if you find all attributes released by idp validate them against your identity store just for assertion.



来源:https://stackoverflow.com/questions/30887617/can-i-integrate-shibboleth-sso-in-my-java-webapp-without-using-apache-and-shibd

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!