Spring Security integrate with SSO(Siteminder)

最新推荐文章于 2022-01-15 22:25:00 发布
最新推荐文章于 2022-01-15 22:25:00 发布
阅读量249 收藏 1
点赞数
文章标签: spring security SSO Siteminder
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/dfaldflafladl/article/details/84810937
版权 
This is the sample to integrate SSO to Java web app with spring security, typical authentication process:


[b]In this case, Web app sever is not proxyed, and recieve request directly, so the user's request arrive to Web app server firstly[/b]
[img]http://dl2.iteye.com/upload/attachment/0118/8617/b986decd-5d80-3e48-bc95-2a924ab06067.jpg[/img]

Core Spring security config: 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
                        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                        http://www.springframework.org/schema/security 
                        http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <sec:http pattern="/assets/**" security="none" />
    <sec:http pattern="/views/logout**" security="none" />

    <bean id="userDetailsService" class="com.wilson.security.CustomUserDetailsService" />

    <sec:http entry-point-ref="loginHandler" use-expressions="true" auto-config="false"
        request-matcher="regex">
        <sec:intercept-url pattern="/**" access="isAuthenticated()" />
        <sec:logout logout-url="/logout" invalidate-session="true" success-handler-ref="logoutHandler" />
        <sec:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
    </sec:http>

    <bean id="loginHandler" class="com.wilson.security.SSOLoginHandler">
        <property name="loginFormUrl" value="${sso.proxy}" />
        <property name="authProcessingURL" value="http://${fqdn}:${port}${context}/authenticate" />
    </bean>

    <bean id="logoutHandler" class="com.wilson.security.SSOLogoutHandler">
        <property name="defaultTargetUrl" value="/views/logout.jsp" />
        <property name="alwaysUseDefaultTargetUrl" value="true" />
    </bean>

    <bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <constructor-arg value="/views/logout-failure.jsp"></constructor-arg>
    </bean>

    <bean id="authenticationFilter" class="com.wilson.security.SSOAuthenticationFilter">
        <property name="filterProcessesUrl" value="/authenticate" />
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="AuthenticationFailureHandler" ref="authenticationFailureHandler" />
        <property name="publicKey" value="${sso.publickey}" />
    </bean>

    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider user-service-ref="userDetailsService" />
    </sec:authentication-manager>

</beans>



So, first, we need to add a custom LoginUrlAuthenticationEntryPoint to redirect request to SSO when user open home page without login 
public class SSOLoginHandler extends LoginUrlAuthenticationEntryPoint
{

    private final Logger logger = LoggerFactory.getLogger(SSOLoginHandler.class);
    private String authProcessingURL;

    @Override
    public void commence(final HttpServletRequest request, final HttpServletResponse response,
        final AuthenticationException authenticationException) throws IOException, ServletException
    {
        logger.debug("Preparing redirectiion to SSO PROXY...");
//        new DefaultRedirectStrategy().sendRedirect(request, response, this.getLoginFormUrl() + "?ref="
//            + authProcessingURL);
        String SSO_LOGIN_URL= "https://ssoserver.com/sso.jsp";
        new DefaultRedirectStrategy().sendRedirect(request, response,  SSO_LOGIN_URL + "?ref="
            + authProcessingURL);
    }

    public String getAuthProcessingURL()
    {
        return authProcessingURL;
    }

    public void setAuthProcessingURL(final String authProcessingURL)
    {
        this.authProcessingURL = authProcessingURL;
    }



Simplete logout which do some logging items.. 
public class SSOLogoutHandler extends SimpleUrlLogoutSuccessHandler
{

    private final Logger logger = LoggerFactory.getLogger(SSOLogoutHandler.class);

    @Override
    public void onLogoutSuccess(final HttpServletRequest request, final HttpServletResponse response,
        final Authentication authentication) throws IOException, ServletException
    {

        super.onLogoutSuccess(request, response, authentication);
        logger.debug("Performing an SSO logout at: {}", this.getDefaultTargetUrl());
    }
}



Custom UserDeatailsService to load role and Grant Authority to user 
public class CustomUserDetailsService implements UserDetailsService
{
    public static final String DEFAULT_AUTH_PASSWORD = "password";



    @Override
    public UserDetails loadUserByUsername(String soeid) throws UsernameNotFoundException
    {
        List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
        grantedAuths.add(new SimpleGrantedAuthority(***Service.queryUserRoleFromDatabase(soeid).toString()));

        UserDetails user = new User(soeid, DEFAULT_AUTH_PASSWORD, true, true, true, true, grantedAuths);      

        return user;
    }

}


Custom authetication filter to processe the response form SSO server after logicn 
public class SSOAuthenticationFilter extends UsernamePasswordAuthenticationFilter
{

    public static final String DEFAULT_AUTH_PASSWORD = "password";
    private final Logger logger = LoggerFactory.getLogger(SSOAuthenticationFilter.class);
    private Cipher cipher;

    public SSOAuthenticationFilter()
    {
        super.setPostOnly(false); // allow a GET request from SSO PROXY
    }

    @Override
    public Authentication attemptAuthentication(final HttpServletRequest request, final HttpServletResponse response) throws AuthenticationException
    {

        String[] sid = decodeSID(request);
        String soeid = sid[0];

        // token is expired if currentTimeMillis is greater then TIMESTAMP
        if (System.currentTimeMillis() > Long.parseLong(sid[1]))
        {
            logger.error("Authentication rejected for: {}", soeid);
            throw new NonceExpiredException("Authentication token is expired");
        }
        // saving decoded SOEID in a REQUEST to reuse it by obtainUsername()
        request.setAttribute("SSO_USER_SOEID", soeid);

        return super.attemptAuthentication(request, response);
    }

    @Override
    protected String obtainPassword(final HttpServletRequest request)
    {
        return DEFAULT_AUTH_PASSWORD;
    }

    @Override
    protected String obtainUsername(final HttpServletRequest request)
    {
        //SM_USER is coming from SSO after login 
        return (String) request.getAttribute("SM_USER");
    }

    private String[] decodeSID(final HttpServletRequest request)
    {
       .............add SSO server decode strtegy
    }

}


[b]
You may say above sample was not my case, what happens we have SSO setup in the proxy server as below?[/b]
[img]http://dl2.iteye.com/upload/attachment/0118/8615/2525dae2-ee24-3ee0-98fe-e58799aa33b7.jpg[/img]

only difference is in the login entry filter, we redirect to the web app authentication filter("/authenticate") as it's pre-logged in 
public class SSOLoginHandler extends LoginUrlAuthenticationEntryPoint
{

    private final Logger logger = LoggerFactory.getLogger(SSOLoginHandler.class);
    private String authProcessingURL;

    @Override
    public void commence(final HttpServletRequest request, final HttpServletResponse response,
        final AuthenticationException authenticationException) throws IOException, ServletException
    {
        logger.debug("Preparing redirectiion to SSO PROXY...");
        new DefaultRedirectStrategy().sendRedirect(request, response, "/authenticate");
    }

}
dfaldflafladl
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
passport-integrate-security:处理身份验证和授权集成在一个地方
06-07
整合护照安全 此模块可让您在一处处理身份验证和授权。 允许使用通行证策略在整个应用程序或特定路由器中启用身份验证,还允许具有特定角色和/或方法的安全路径。 警告 仍在开发中。 安装 $ npm install passport-integrate-security
integrate-security-examples:连接到我们的安全服务器的示例代码
06-01
集成安全示例 此存储库包含大量注释的示例代码,用于通过 Integrate Security 服务器连接到 Integrate API 的客户端。 此代码旨在与 API 文档一起使用。 和相关的安全文档(此处均未提供)。 使用 Spring OAuth 和 Apache HttpComponents 提供了示例。 所有样本都在一台机器上构建(并测试),其中: 客户端 = 此存储库中提供的代码。 授权。 server = http://localhost:8080/openid-connect - 集成安全的本地实现。 请注意,此服务器不使用 HTTPS - 在生产中,与此服务器的所有通信都必须受 HTTPS 保护。 资源服务器 = http://localhost:8080/aimple-web-app - 暴露 API 存根的本地测试服务器。 如上所述,这不使用 HTTPS -
Integrated Security
zhvsby的专栏
10-15 3433
<br />如下一段app.config文件<br />//该文件用来设置连接数据库字符串<configuration><br /><connectionStrings> <br /> <add name="Pubs" connectionString="Server=localhost;User ID=dot-well;Password=dot-well.com;IntegrateSecurity=True;Database=pubs;"   providerName="System.Data.Sql
SiteMinder - Single sign on (SSO)
个人学习记录所用
11-27 3621
  SSO是在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统。它包括可以将这次主要的登录映射到其他应用中用于同一个用户的登录的机制。它是目前比较流行的企业业务整合的解决方案之一。 SSO技术实现机制   当用户第一次访问应用系统1的时候,因为还没有登录,会被引导到认证系统中进行登录;根据用户提供的登录信息,认证系统进行身份效验,如果通过效验,应该返回给用户一个认证的凭据--ticket;用户再访问别的应用的时候就会将这个ticket带上,作为自己认证的凭据,应用系统接
Tomcat Siteminder SSO Agent
iteye_6223的博客
03-22 295
不知道有没有童鞋像我那样需要Tomcat的siteminder sso agent,有的话这篇文章应该能给大家一点启示。 CA官方是没有Tomcat的sso agent的,替代办法是使用apache拦在tomcat前面,然后用apache专用的agent达到使用sso的目的。但如果之前一直使用tomcat JAAS控制权限的用户就会很不爽,验证方面需要改很多地方,apache方案基本没用。创维T...
Spring Security Third Edition.pdf英文版
12-23
Architect solutions that leverage the full power of Spring Security while remaining loosely coupled. Implement various ... You are not expected to have any previous experience with Spring Security.
Packt.Hands-On.Spring.Security.5.for.Reactive.Applications
09-27
Hands-On Spring Security 5 for Reactive Applications starts with the essential concepts of reactive programming, Spring Framework, and Spring Security. You will then learn about a variety of ...
How to integrate BIEE with Oracle SSO Portal.doc
11-30
- BIEE 10.1.3.2 版本,已安装Advanced Security选项,它包含Web Bridge servlet、JMX BeanServer和Oracle BI Publisher组件,这些组件在Oracle Application Server 10.1.3上运行,而不是默认的OC4J。 - Oracle ...
Building Applications with Spring 5 and Kotlin
12-29
Kotlin is being used ... You’ll also learn to use Spring Security to beef up security of your application before testing it with the JUnit framework and then deploying it on a cloud platform like AWS.
spring-boot-integrate
04-18
3. **安全控制**:Spring SecuritySpring Boot默认的安全解决方案,提供了认证、授权、CSRF保护等功能。 4. **邮件服务**:通过JavaMailSender接口,Spring Boot可以方便地发送电子邮件。 5. **缓存管理**:...
spring-security-multi-auth:Spring Boot应用程序示例,演示用于多种身份验证的Spring Security Java配置(Siteminder SSO +表单登录)
05-09
Spring Security多身份验证展示柜 基于Spring Boot的示例应用程序,展示了用于多个身份验证流程的案例Java配置-Siteminder SSO和基于表单的登录。 入门/运行应用程序 克隆存储库,使用maven将其打包为jar,然后从目标文件夹运行jar git clone https://github.com/aashaysaralkar/spring-security-multi-auth.git cd spring-security-multi-auth mvnw package -DskipTests cd target java -jar multiAuthSecurityApp-0.0.1-SNAPSHOT.jar 测试表格登录 运行该应用程序后,导航至 应用程序使用用户名'user'和密码'password'识别一个用户。 登录后,将显示仪表板
SiteMinder SSO在weblogic10的变化
杨军的博客
09-11 2310
1.问题描述:       在weblogic8下,siteminder sso agent(Servlet) 如果用户没用权限会跳转到wls_http_bridge_not_authorized.jsp页面,而在weblogic10下却直接跳转到403页面?   2.问题定位:       首先说明一下Assert Provider的作用:       .认证cookie的
Integrated security=true和=false,有何区别
热门推荐
hhw199112的博客
05-08 2万+
string constr = "Data source=(local);initial catalog=data;integrated security=true";以上是一个连接字符串,如果integrated security=true表示可以在不知道数据库用户名和密码的情况下时,依然可以连接数据库,如果integrated security=false,或者不写,表示一定要输入正确的数据库...
SpringSecurity的基础操作,登录认证,授权认证等
xiaotanke
01-15 1627
文章目录SpringSecurity1、SpringSecurity简介2、第一个SpringSecurity程序3、UserDetailsService接口4、 PasswordEncoder接口5、自定义登录逻辑6、自定义登录页面7、自定义登录成功和失败处理器8、授权配置9、角色认证10、记住我11、SpringSecurity整合thymeleaf11.1、获取登录信息11.2、权限判断11.3、注销配置12、csrf SpringSecurity 1、SpringSecurity简介 ​ Sprin
Integrated Security=SSPI
08-20 2671
Integrated Security 身份验证方式当为false时,将在连接中指定用户ID和密码。当为true时,将使用当前的Windows帐户凭据进行身份验证。可识别的值为true、false、yes、no以及与true等效的sspi。 指使用windows自带的安全验证机制,这时不用加uid和password也可以打开数据库如果没有那一句的话,就必须在联接字符串里写...
连接字符串中的integrated security=true的意思是什么
weixin_33841503的博客
05-12 571
每次在讲到这个地方的时候,我都会提问。也经常有朋友回答不上来。 integrated security=true 的意思是集成验证,也就是说使用Windows验证的方式去连接到数据库服务器。这样方式的好处是不需要在连接字符串中编写用户名和密码,从一定程度上说提高了安全性。 那么到底是用哪一个Windows身份呢?很多朋友说,使用当前用户的身份吧?这个回答不能算错,至少在Windows应用程序中是这...
siteminder sso agent 初探
tianshibaijia
12-03 370
siteminder sso agent 初探公司一直用weblogic开发,CA有现成的sso agent for weblogic,只需要简单封装即可,主要是通过filter+serevlet来实现的。 后来又有了sso agent from jboss,自己也设想一下tomcat/jetty 替换weblogic 来作为web server,所以考虑custom sso agent for...
统一认证管理系统(单点登录系统)sso 浅谈
zxln007的博客
04-30 1万+
        我所在的公司比较大,内部的各种管理系统和业务系统比较多,然而所有的系统都可以用公司的OA的员工工号和密码直接进行登录 (当然登录界面都是一个就是内部OA门户)。从进入公司以来我就一直有个问题,这是怎么做到的?毕竟假如每个系统一套数据库,那么所有的系统都得同步OA系统的员工账户表,这是比较繁琐的工程,也容易出错,比如人员的入职离职等等。后来请教了一下某个老员工,才知道单点登录这样的好...
thymeleaf-extras-springsecurity5
最新发布
04-04
Thymeleaf-extras-springsecurity5 is a Thymeleaf dialect that provides integration with Spring Security 5, which is a powerful and highly customizable security framework for Java applications. This dialect allows developers to easily add security-related features to their Thymeleaf templates, such as displaying content based on the user's authentication status or role, generating CSRF tokens, and more. Some of the features provided by thymeleaf-extras-springsecurity5 include: 1. Security-specific tags: This dialect provides several new tags that can be used to check the user's authentication status, retrieve information about the currently authenticated user, and more. 2. CSRF protection: The dialect provides a new tag that generates a CSRF token, which can be used to protect against Cross-Site Request Forgery (CSRF) attacks. 3. Role-based access control: The dialect allows developers to easily restrict access to certain parts of their application based on the user's role. 4. Internationalization support: The dialect provides support for internationalization, allowing developers to easily display security-related messages in different languages. Overall, thymeleaf-extras-springsecurity5 is a useful tool for developers who want to integrate Thymeleaf with Spring Security 5 and add security-related features to their web applications.

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值