SAMLAuthenticationProvider

最新推荐文章于 2022-07-07 11:28:24 发布
最新推荐文章于 2022-07-07 11:28:24 发布
阅读量239 收藏
点赞数
分类专栏: 笔记
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/sunshinebo/article/details/116140261
版权 
/* Copyright 2009 Vladimir Schafer
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.security.saml;

import org.joda.time.DateTime;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLRuntimeException;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.validation.ValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.log.SAMLLogger;
import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
import org.springframework.security.saml.websso.WebSSOProfileConsumer;
import org.springframework.util.Assert;

import javax.servlet.ServletException;
import java.util.*;

/**
 * Authentication provider is capable of verifying validity of a SAMLAuthenticationToken and in case
 * the token is valid to create an authenticated UsernamePasswordAuthenticationToken.
 *
 * @author Vladimir Schafer
 */
public class SAMLAuthenticationProvider implements AuthenticationProvider, InitializingBean {

    private static final Logger log = LoggerFactory.getLogger(SAMLAuthenticationProvider.class);

    private boolean forcePrincipalAsString = true;
    private boolean excludeCredential = false;
    protected WebSSOProfileConsumer consumer;
    protected WebSSOProfileConsumer hokConsumer;
    protected SAMLLogger samlLogger;
    protected SAMLUserDetailsService userDetails;

    /**
     * Attempts to perform authentication of an Authentication object. The authentication must be of type
     * SAMLAuthenticationToken and must contain filled SAMLMessageContext. If the SAML inbound message
     * in the context is valid, UsernamePasswordAuthenticationToken with name given in the SAML message NameID
     * and assertion used to verify the user as credential (SAMLCredential object) is created and set as authenticated.
     *
     * @param authentication SAMLAuthenticationToken to verify
     * @return UsernamePasswordAuthenticationToken with name as NameID value and SAMLCredential as credential object
     * @throws AuthenticationException user can't be authenticated due to an error
     */
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {

        if (!supports(authentication.getClass())) {
            throw new IllegalArgumentException("Only SAMLAuthenticationToken is supported, " + authentication.getClass() + " was attempted");
        }

        SAMLAuthenticationToken token = (SAMLAuthenticationToken) authentication;
        SAMLMessageContext context = token.getCredentials();

        if (context == null) {
            throw new AuthenticationServiceException("SAML message context is not available in the authentication token");
        }

        SAMLCredential credential;

        try {
            if (SAMLConstants.SAML2_WEBSSO_PROFILE_URI.equals(context.getCommunicationProfileId())) {
                credential = consumer.processAuthenticationResponse(context);
            } else if (SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI.equals(context.getCommunicationProfileId())) {
                credential = hokConsumer.processAuthenticationResponse(context);
            } else {
                throw new SAMLException("Unsupported profile encountered in the context " + context.getCommunicationProfileId());
            }
        } catch (SAMLRuntimeException e) {
            log.debug("Error validating SAML message", e);
            samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, context, e);
            throw new AuthenticationServiceException("Error validating SAML message", e);
        } catch (SAMLException e) {
            log.debug("Error validating SAML message", e);
            samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, context, e);
            throw new AuthenticationServiceException("Error validating SAML message", e);
        } catch (ValidationException e) {
            log.debug("Error validating signature", e);
            samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, context, e);
            throw new AuthenticationServiceException("Error validating SAML message signature", e);
        } catch (org.opensaml.xml.security.SecurityException e) {
            log.debug("Error validating signature", e);
            samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, context, e);
            throw new AuthenticationServiceException("Error validating SAML message signature", e);
        } catch (DecryptionException e) {
            log.debug("Error decrypting SAML message", e);
            samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.FAILURE, context, e);
            throw new AuthenticationServiceException("Error decrypting SAML message", e);
        }

        Object userDetails = getUserDetails(credential);
        Object principal = getPrincipal(credential, userDetails);
        Collection<? extends GrantedAuthority> entitlements = getEntitlements(credential, userDetails);

        Date expiration = getExpirationDate(credential);

        SAMLCredential authenticationCredential = excludeCredential ? null : credential;
        ExpiringUsernameAuthenticationToken result = new ExpiringUsernameAuthenticationToken(expiration, principal, authenticationCredential, entitlements);
        result.setDetails(userDetails);

        samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.SUCCESS, context, result, null);

        return result;

    }

    /**
     * Populates user data from SAMLCredential into UserDetails object. By default supplied implementation of the
     * SAMLUserDetailsService is called and value of type UserDetails is returned. Users are encouraged to supply
     * implementation of this class and also include correct implementation of the getAuthorities method in it, which
     * is used to populate the entitlements inside the Authentication object.
     * <p>
     * If no SAMLUserDetailsService is specified null is returned.
     *
     * @param credential credential to load user from
     * @return user details object corresponding to the SAML credential or null if data can't be loaded
     */
    protected Object getUserDetails(SAMLCredential credential) {
        if (getUserDetails() != null) {
            return getUserDetails().loadUserBySAML(credential);
        } else {
            return null;
        }
    }

    /**
     * Method determines what will be stored as principal of the created Authentication object. By default
     * (when forcePrincipalAsString is true) string representation of the NameID returned from SAML message is used.
     * Otherwise userDetail object is used, when set, when not NameID object from the credential is returned.
     * Other implementations can be created by overriding the method.
     *
     * @param credential credential used to authenticate user
     * @param userDetail loaded user details, can be null
     * @return principal to store inside Authentication object
     */
    protected Object getPrincipal(SAMLCredential credential, Object userDetail) {
        if (isForcePrincipalAsString()) {
            return credential.getNameID().getValue();
        } else if (userDetail != null) {
            return userDetail;
        } else {
            return credential.getNameID();
        }
    }

    /**
     * Method is responsible for returning collection of users entitlements. Default implementation verifies
     * whether userDetail object is of UserDetails type and returns userDetail.getAuthorities().
     * <p>
     * In case object of other type is found empty list is returned. Users are supposed to override this
     * method to provide custom parsing is such case.
     *
     * @param credential credential used to authenticate user during SSO
     * @param userDetail user detail object returned from getUserDetails call
     * @return collection of users entitlements, mustn't be null
     */
    protected Collection<? extends GrantedAuthority> getEntitlements(SAMLCredential credential, Object userDetail) {
        if (userDetail instanceof UserDetails) {
            List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
            authorities.addAll(((UserDetails) userDetail).getAuthorities());
            return authorities;
        } else {
            return Collections.emptyList();
        }
    }

    /**
     * Parses the SAMLCredential for expiration time. Locates all AuthnStatements present within the assertion
     * (only one in most cases) and computes the expiration based on sessionNotOnOrAfter field.
     *
     * @param credential credential to use for expiration parsing.
     * @return null if no expiration is present, expiration time onOrAfter which the token is not valid anymore
     */
    protected Date getExpirationDate(SAMLCredential credential) {
        List<AuthnStatement> statementList = credential.getAuthenticationAssertion().getAuthnStatements();
        DateTime expiration = null;
        for (AuthnStatement statement : statementList) {
            DateTime newExpiration = statement.getSessionNotOnOrAfter();
            if (newExpiration != null) {
                if (expiration == null || expiration.isAfter(newExpiration)) {
                    expiration = newExpiration;
                }
            }
        }
        return expiration != null ? expiration.toDate() : null;
    }

    /**
     * Returns saml user details service used to load information about logged user from SAML data.
     *
     * @return service or null if not set
     */
    public SAMLUserDetailsService getUserDetails() {
        return userDetails;
    }

    /**
     * SAMLAuthenticationToken is the only supported token.
     *
     * @param aClass class to check for support
     * @return true if class is of type SAMLAuthenticationToken
     */
    public boolean supports(Class aClass) {
        return SAMLAuthenticationToken.class.isAssignableFrom(aClass);
    }

    /**
     * The user details can be optionally set and is automatically called while user SAML assertion
     * is validated.
     *
     * @param userDetails user details
     */
    @Autowired(required = false)
    public void setUserDetails(SAMLUserDetailsService userDetails) {
        this.userDetails = userDetails;
    }

    /**
     * Logger for SAML events, cannot be null, must be set.
     *
     * @param samlLogger logger
     */
    @Autowired
    public void setSamlLogger(SAMLLogger samlLogger) {
        Assert.notNull(samlLogger, "SAMLLogger can't be null");
        this.samlLogger = samlLogger;
    }

    /**
     * Profile for consumption of processed messages, must be set.
     *
     * @param consumer consumer
     */
    @Autowired
    @Qualifier("webSSOprofileConsumer")
    public void setConsumer(WebSSOProfileConsumer consumer) {
        Assert.notNull(consumer, "WebSSO Profile Consumer can't be null");
        this.consumer = consumer;
    }

    /**
     * Profile for consumption of processed messages using the Holder-of-Key profile, must be set.
     *
     * @param hokConsumer holder-of-key consumer
     */
    @Autowired
    @Qualifier("hokWebSSOprofileConsumer")
    public void setHokConsumer(WebSSOProfileConsumer hokConsumer) {
        this.hokConsumer = hokConsumer;
    }

    public boolean isForcePrincipalAsString() {
        return forcePrincipalAsString;
    }

    /**
     * By default principal in the returned Authentication object is the NameID included in the
     * authenticated Assertion. The NameID is not serializable.
     *
     * Setting this value to true will force the NameID value to be a String.
     *
     * @param forcePrincipalAsString true to force principal to be a String
     */
    public void setForcePrincipalAsString(boolean forcePrincipalAsString) {
        this.forcePrincipalAsString = forcePrincipalAsString;
    }

    public boolean isExcludeCredential() {
        return excludeCredential;
    }

    /**
     * When false (default) the resulting Authentication object will include instance of SAMLCredential
     * as a credential value. The credential includes information related to the authentication
     * process, received attributes and is required for Single Logout.
     *
     * In case your application doesn't require the credential, it is possible to exclude it from
     * the Authentication object by setting this flag to true.
     *
     * @param excludeCredential false to include credential in the Authentication object, true to exclude it
     */
    public void setExcludeCredential(boolean excludeCredential) {
        this.excludeCredential = excludeCredential;
    }

    /**
     * Verifies that required entities were autowired or set.
     */
    public void afterPropertiesSet() throws ServletException {
        Assert.notNull(consumer, "WebSSO Profile Consumer can't be null");
        Assert.notNull(hokConsumer, "WebSSO Profile HoK Consumer can't be null");
        Assert.notNull(samlLogger, "SAMLLogger can't be null");
    }

}
sunshinebo
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
深入浅出单点登录---3、基于SAML实现的统一认证
u014526891的博客
03-14 1万+
概述 SAML 2.0 用来在安全域中交换身份验证(Authentication)数据和 授权(Authorization)数据。SAML 2.0基于 XML协议,使用包含断言(Assertions)的安全令牌在SAML授权方(即身份提供者IdP)和SAML消费方(即服务 提供者SP)之间传递委托人(终端用户)的信息。 SAML 2.0 可以实现基于网络跨域的单点登录(SSO), 以便于减少向一个用户分发多个身份验证令牌的管理开销。 什么是断言 断言是一个包含了由SAML授权方提供的0到多个声明(state
Grails自定义AuthenticationProvider
03-29 181
为了加强我们新Grails应用程序中的安全性,我着手实现了Spring Security Plugin 。 使用标准的用户名/密码进行安装和运行很简单,因为所有这些都由插件自动连接。 这解决了我一半的问题,但是我们还需要支持SAML身份验证,并且没有明确的示例来说明如何实现。 如果有人有类似的要求,我想分享一下我的作品。 我将不专注于SAML细节,而是关注如何在grails中构建任何自定义...
基于SAML2.0的SAP云产品Identity Authentication过程介绍
SAP 资深技术专家 Jerry Wang 的技术分享
06-09 955
SAP官网的架构图 https://cloudplatform.sap.com/scenarios/usecases/authentication.html ![clipboard1](https://user-images.githubusercontent.com/5669954/58784482-23d3db00-8616-11e9-8905-5665ba2d8e0e.png) ...
SAML单点登录-spring-security-saml 整合使用
LuckyTHP
07-07 6514
springboot security saml2
SAML单点登录-spring-security-saml客户端SP
zhitianming的博客
02-08 5500
SAML单点登录-spring-security-saml客户端SP 使用spring-security-saml搭建SAML协议的客户端,该依赖是spring框架的官方库,配置方便、文档详细。提供了包括单点登录、单点登出、获取sq元数据文件等接口,无需自己实现,参考:spring-security-saml与应用程序的集成 SpringMVC接入 Maven添加spring-security-saml依赖 <dependency> <groupId>org.springframe
SAML简介:安全地共享数字身份信息
arrio的专栏
06-07 1075
简介   安全是所有Web项目在设计时都要考虑的一个重要因素。无论是选择最短口令,决定何时使用SSL加密HTTP会话,还是通过自动登录 cookie来识别用户,都经常要付出重大的设计努力,以保护用户的身份信息和他们可能存放于Web站点的其他资料。糟糕的安全性可能带来公关灾难。当最 终用户努力保持对其个人信息的控制时,他们要面临令人迷惑的隐私政策,需要牢记众多站点的不同口令,以及遭遇“钓鱼式攻击
解决Authentication is not valid 的问题
u013452335的博客
03-11 5065
访问这个 ls /EE Authentication is not valid : /EE 出现这个 getAcl /EE 'digest,'admin:uV4rCzrED808a5JzELP/ddddss : cdrw 应该执行下面的 addauth digest admin:admin 然后在 ls /EE 输出该节点下的节点
ASP.NET MVC使用AuthenticationAttribute验证登录
08-02 246
首先,添加一个类AuthenticationAttribute,该类继承AuthorizeAttribute,如下: using System.Web; using System.Web.Mvc; namespace Zhong.Web { public class AuthenticationAttribute : AuthorizeAttribute ...
Spring Security 实战干货:用户是如何进行登录认证的
码农小胖哥
07-21 1689
1. 前言我们上一篇介绍了UsernamePasswordAuthenticationFilter的工作流程,留下了一个小小的伏笔,作为一个Servlet Filter应该存在一个doF...
【saml 基于角色的联盟访问(我方idp实现)】对接阿里
qq2413273056的博客
04-18 1475
文档:https://help.aliyun.com/document_detail/109791.html?spm=a2c4g.11186623.6.580.55031c6fdzUdch 开源项目(基于sercurity 实现的sp+idp):https://github.com/OpenConext/Mujina 请先参考:【saml 基于用户的联盟访问(我方idp实现)】对接阿里 ...
基于SAML的ADFS认证集成方案
热门推荐
晨港飞燕的专栏
03-22 1万+
why ADFS 之所以和ADFS 'sayhello'是公司要求,实现内网项目在外网下的SSO登录访问 当第一次看到ADFS时,第一想到是公司内部哪个工程师搞得一个架构,取英文缩写ADFS,大概用于身份认证,提到到认证方式,想到目前市面主流的oauth2,Jwt,OpenID等,基于SAML2.0的ADFS服务器集成方案是啥,如果是内部框架也没有太详细的部署方案啊,去搜索saml概念,发...
【主流身份管理技术辨析】Authentication and Authorization: OpenID vs OAuth2 vs SAML
WWBOY249的专栏
07-25 1973
Authentication and Authorization: OpenID vs OAuth2 vs SAML My current project at AO has provided a lot of opportunity to learn about web security and what’s going on when you click that ubiqu
基于 Confluence 6 数据中心在你的 Atlassian 应用中配置 SAML 授权
HONEY MOOSE
04-24 715
希望在 Confluence 中配置SAML: Go to &gt; 基本配置(General Configuration)&gt; SAMl 授权(SAML Authentication)。选择 SAML 单点登录(SAML single sign-on)。 配置下面的设置: Single sign-on issuer这个值是是由你 IdP 提供的,作为设置 SAML 的一部分。有时候这个被称为...
联邦身份认证——SAML
王浩的技术博客
06-15 1万+
1、概述       目前越来越多的系统通过Web服务、门户和集成化应用程序彼此链接,为解决信息孤岛的问题单点登录的需求越来越紧迫。当前比较普遍的方式是采取集中式身份管理,这样做的好处是简化用户管理,把对访问控制的管理从本地的多个应用系统转移到管理中心,用户数据可以通过Web服务非常方便的访问。       这样做存在一个问题就是各系统失去了对用户数据的所有权,特别是在企业间应用的单点访问
SAML2.0与WS-Federation比较
王浩的技术博客
03-09 7003
在联合身份认证中有两大标准:OASIS组织的SAML和微软支持的WS-Federation。二者主要的区别在于SAML直接使用XML加密和XML签名,这意味着它可以和REST协同工作,而WS-Federation则需要SOAP。下面是对两种标准的比较,列出了它们之间的区别。 Below is a table where I compare both specs on various f
SAML2发送断言
chun521的专栏
10-24 2199
  已经认证的用户,直接向应用发送断言   package com.xxx;   import java.io.*;import java.util.*; import javax.servlet.*;import javax.servlet.http.*; import org.joda.time.DateTime;import org.opensaml.Configurati...
OpenSAML 使用引导 III: Service Provider 的实现之Artifact与断言
weixin_34414650的博客
09-10 840
前文OpenSAML 使用引导 II : Service Provider 的实现之AuthnRequest介绍从Service Provider(SP)角度出发,讲解如何使用OpenSAML如申请身份鉴别请求,并从IDP出得到断言的引用标识——SAML Artifact,本文将继续讨论Artifact的具...
springboot 整合saml 代码
最新发布
05-25
以下是 Spring Boot 整合 SAML 的基本代码示例: 1. 添加依赖 在 pom.xml 文件中添加以下依赖: ```xml <dependency> <groupId>org.springframework.security.extensions</groupId> <artifactId>spring-security-saml2-core</artifactId> <version>1.0.10.RELEASE</version> </dependency> ``` 2. 配置 SAML 在 application.properties 文件中添加以下配置: ```properties # SAML 配置 security.saml2.metadata-url=http://idp.example.com/metadata security.saml2.entity-id=http://sp.example.com/metadata security.saml2.key-store=file:/path/to/keystore.jks security.saml2.key-store-password=keystore_password security.saml2.key-password=key_password security.saml2.default-success-url=/success security.saml2.login-processing-url=/saml/login security.saml2.logout-url=/saml/logout ``` 其中,metadata-url 是 Identity Provider 的元数据 URL,entity-id 是 Service Provider 的实体 ID,key-store 是密钥库文件路径,key-store-password 是密钥库密码,key-password 是密钥密码。 3. 配置 Spring Security 创建一个继承 WebSecurityConfigurerAdapter 的类,并在其中配置 Spring Security: ```java @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private SAMLUserDetailsService samlUserDetailsService; @Autowired private SAMLAuthenticationProvider samlAuthenticationProvider; @Autowired private SAMLConfigurer samlConfigurer; @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/saml/**").permitAll() .anyRequest().authenticated() .and() .apply(samlConfigurer); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(samlAuthenticationProvider); } @Bean public SAMLConfigurer samlConfigurer() { return new SAMLConfigurer(); } @Bean public SAMLAuthenticationProvider samlAuthenticationProvider() { SAMLAuthenticationProvider provider = new SAMLAuthenticationProvider(); provider.setUserDetails(samlUserDetailsService); provider.setForcePrincipalAsString(false); return provider; } @Bean public SAMLUserDetailsService samlUserDetailsService() { return new SAMLUserDetailsServiceImpl(); } } ``` 其中,samlUserDetailsService 是一个实现 SAMLUserDetailsService 接口的类,用于加载用户信息。 4. 创建 SAML Controller 创建一个 SAML Controller,用于处理 SAML 相关请求: ```java @Controller @RequestMapping("/saml") public class SamlController { @GetMapping("/login") public void login(HttpServletRequest request, HttpServletResponse response) throws Exception { AuthenticationManager authenticationManager = getAuthenticationManager(); SAMLAuthenticationToken token = new SAMLAuthenticationToken(null, null); Authentication authentication = authenticationManager.authenticate(token); SecurityContextHolder.getContext().setAuthentication(authentication); response.sendRedirect("/"); } @GetMapping("/logout") public void logout(HttpServletRequest request, HttpServletResponse response) throws Exception { request.getSession().invalidate(); response.sendRedirect("/"); } private AuthenticationManager getAuthenticationManager() { AuthenticationManager authenticationManager = new ProviderManager(List.of(samlAuthenticationProvider())); return authenticationManager; } @Autowired private SAMLAuthenticationProvider samlAuthenticationProvider; } ``` 其中,login 方法用于处理 SAML 登录请求,logout 方法用于处理 SAML 登出请求。 5. 启动应用程序 启动应用程序,并访问 http://localhost:8080/saml/login 进行 SAML 登录。登录成功后,将重定向到 http://localhost:8080/success 页面。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值