1. 技术文章
  2. Combine database and SAML authentication in one application using spring security

Combine database and SAML authentication in one application using spring security

送分小仙女□ 提交于 2020-04-30 07:11:20

问题


I am trying to implement authentication and authorization in the spring boot(2.2.4) app using spring security(spring-security-starter).

Use Case: Based on the username I want to redirect the user for the specific authentication provider

  • If username ends with 'mit.com' Authenticate User using database (I am using hibernate)- For this, I can use spring's UserDetailService

  • If username ends with 'einfochips.com' Authenticate User using SAML 2.0 protocol- Using identity provider like Okta, SSOCircle, OneLogin etc.

    I am not able to get how I can do it. I tried using custom filter but couldn't do it.

I have gone through many articles but couldn't achieve this.

I wrote below code for authentication using only SAML. It is working fine. Taking the user to okta idp for login.

package com.example.demo;

import static org.springframework.security.extensions.saml2.config.SAMLConfigurer.saml;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;

@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    SAMLUserDetailsService userDetailsService;

    @Value("${security.saml2.metadata-url}")
    String metadataUrl;

    @Value("${server.ssl.key-alias}")
    String keyAlias;

    @Value("${server.ssl.key-store-password}")
    String password;

    @Value("${server.port}")
    String port;

    @Value("${server.ssl.key-store}")
    String keyStoreFilePath;   

    //Uisng SAML2.0
    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
                .antMatchers("/").permitAll()
                .anyRequest().authenticated()
                .and()
            .apply(saml())
                .serviceProvider()
                    .keyStore()
                        .storeFilePath(this.keyStoreFilePath)
                        .password(this.password)
                        .keyname(this.keyAlias)
                        .keyPassword(this.password)
                        .and()
                    .protocol("https")
                    .hostname(String.format("%s:%s", "localhost", this.port))
                    .basePath("/")
                    .and().userDetailsService(userDetailsService)
                .identityProvider()
                .metadataFilePath(this.metadataUrl);
    }

}

anybody can guide me so that I can configure in such a way that I can use any IDP like okta, ssocircle, OneLogin etc.


回答1:


Utilize Spring Security's AuthenticationProvider to implement multiple custom authentication providers and register them in the appropriate order (they're evaluated in order).

A custom database auth provider

public class MitComAuthProvider implements AuthenticationProvider {
   public Authentication authenticate(Authentication auth) {
      // if user matches 'mit.com', auth with database
      // look up and auth
      // else return null (to try next auth provider)
   }
}

A custom SAML Authentication Provider (provided with Spring Security & implements AuthenticationProvider).

public class EInfoChipsAuthProvider extends SAMLAuthenticationProvider {
   public Authentication authenticate(Authentication auth) {
      // if user matches 'einfochips.com', auth with SAML
      // super.authentication(auth)
      // else return null (to try next auth provider) or throw auth exception
   }
}

then, register both authentication providers in your WebSecurityConfigurerAdapter

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

   @Autowired
   private MitComAuthProvider mitComAuthProvider;

   @Autowired
   private EInfoChipsAuthProvider eInfoChipsAuthProvider;

   public void configure(AuthenticationManagerBuilder auth) throws Exception {
       auth.authenticationProvider(mitComAuthProvider);
       auth.authenticationProvider(eInfoChipsAuthProvider);
   }

   ...
}


来源:https://stackoverflow.com/questions/61182738/combine-database-and-saml-authentication-in-one-application-using-spring-securit

标签
spring-boot
spring-security
saml
saml-2.0
spring-security-saml2
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!