自定义请求网址

Tschuss 发表于 Dev

再见

我正在配置一个saml应用程序，它将接收来自adfs的请求。我想使用自定义URL接收请求。这是我的配置：

<http servlet-api-provision="false"  entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true" >
    <custom-filter position="FORM_LOGIN_FILTER" ref="memberAuthenticationFilter" />
    <custom-filter position="PRE_AUTH_FILTER" ref="samlFilter" />
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <anonymous granted-authority="ROLE_ANONYMOUS" username="ANONYMOUS" />
    <access-denied-handler error-page="/login/index.htm"/>
</http>
<beans:bean id="ssoAuthenticationFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
    <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="authenticationFailureHandler">
        <beans:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
            <beans:property name="defaultFailureUrl" value="${ssoNonMemberRedirectUrl}" />
        </beans:bean>
    </beans:property>
    <beans:property name="filterProcessesUrl" value="/auth.htm"/>
</beans:bean>
<beans:bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
    <filter-chain-map request-matcher="ant">
        <filter-chain pattern="/auth.htm" filters="ssoAuthenticationFilter"/>
        <filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
    </filter-chain-map>
</beans:bean>

<beans:bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider">
    <beans:property name="userDetails">
        <beans:bean class="com.wigitsrus.wigits.security.MemberDetailsService" />
    </beans:property>
</beans:bean>

<context:component-scan base-package="org.springframework.security.saml"/>
<beans:bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/>

<!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there -->
<beans:bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<beans:bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <beans:constructor-arg>
        <beans:bean class="org.springframework.security.saml.metadata.MetadataGenerator">
        <beans:property name="entityId" value="http://wigitsrus.com"/>
        <beans:property name="signMetadata" value="false"/>
        <beans:property name="entityBaseURL" value="https://wigitsrus.com/wigits"/>
        </beans:bean>
    </beans:constructor-arg>
</beans:bean>

<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<!-- Do no forget to call iniitalize method on providers -->
<beans:bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
    <beans:constructor-arg>
        <beans:list>
            <beans:bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                <beans:constructor-arg>
                    <beans:bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                        <beans:constructor-arg>
                            <beans:value type="java.io.File">classpath:com/wigitsrus/wigits/security/saml/FederationMetadata.xml</beans:value>
                        </beans:constructor-arg>
                        <beans:property name="parserPool" ref="parserPool"/>
                    </beans:bean>
                </beans:constructor-arg>
                <beans:constructor-arg>
                    <beans:bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                        <beans:property name="alias" value="http://theidp.com"/>
                        <beans:property name="requireArtifactResolveSigned" value="false"/>
                        <beans:property name="requireLogoutRequestSigned" value="false"/>
                        <beans:property name="requireLogoutResponseSigned" value="false"/>
                        <beans:property name="idpDiscoveryEnabled" value="false"/>
                    </beans:bean>
                </beans:constructor-arg>
                <beans:property name="metadataTrustCheck" value="false"/>
            </beans:bean>
        </beans:list>
    </beans:constructor-arg>
    <beans:property name="defaultIDP" value="http://theidp.com"/>
    <beans:property name="refreshCheckInterval" value="0"/>
</beans:bean>

<!-- Provider of default SAML Context -->
<beans:bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
    <beans:property name="scheme" value="https"/>
    <beans:property name="serverName" value="wigitsrus.com"/>
    <beans:property name="serverPort" value="443"/>
    <beans:property name="includeServerPortInRequestURL" value="false"/>
    <beans:property name="contextPath" value="/wigits"/>
</beans:bean>

<!-- Logout handler terminating local session -->
<beans:bean id="logoutHandler"
      class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
    <beans:property name="invalidateHttpSession" value="false"/>
</beans:bean>

<!-- Override default logout processing filter with the one processing SAML messages -->
<beans:bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
    <beans:constructor-arg index="0">
        <beans:bean class="com.wigitsrus.wigits.security.MemberLogoutSuccessHandler"/>
    </beans:constructor-arg>
    <beans:constructor-arg index="1" ref="logoutHandler"/>
    <beans:constructor-arg index="2" ref="logoutHandler"/>
</beans:bean>

<!-- Filter processing incoming logout messages -->
<!-- First argument determines URL user will be redirected to after successful global logout -->
<beans:bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
    <beans:constructor-arg index="0">
        <beans:bean class="com.wigitsrus.wigits.security.MemberLogoutSuccessHandler"/>
    </beans:constructor-arg>
    <beans:constructor-arg index="1" ref="logoutHandler"/>
</beans:bean>

<!-- Class loading incoming SAML messages from httpRequest stream -->
<beans:bean id="samlProcessor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
    <beans:constructor-arg>
        <beans:list>
            <beans:ref bean="redirectBinding"/>
            <beans:ref bean="postBinding"/>
            <beans:ref bean="artifactBinding"/>
            <beans:ref bean="soapBinding"/>
            <beans:ref bean="paosBinding"/>
        </beans:list>
    </beans:constructor-arg>
</beans:bean>

<!-- SAML 2.0 WebSSO Assertion Consumer -->
<beans:bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>

<!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer -->
<beans:bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>

<!-- SAML 2.0 Web SSO profile -->
<beans:bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>

<!-- SAML 2.0 Holder-of-Key Web SSO profile -->
<beans:bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>

<!-- SAML 2.0 ECP profile -->
<beans:bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/>

<!-- SAML 2.0 Logout Profile -->
<beans:bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>

<!-- Bindings, encoders and decoders used for creating and parsing messages -->
<beans:bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
    <beans:constructor-arg ref="parserPool"/>
    <beans:constructor-arg ref="velocityEngine"/>
</beans:bean>

<beans:bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
    <beans:constructor-arg ref="parserPool"/>
</beans:bean>

<beans:bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding">
    <beans:constructor-arg ref="parserPool"/>
    <beans:constructor-arg ref="velocityEngine"/>
    <beans:constructor-arg>
        <beans:bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl">
            <beans:constructor-arg>
                <beans:bean class="org.apache.commons.httpclient.HttpClient">
                    <beans:constructor-arg>
                        <beans:bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/>
                    </beans:constructor-arg>
                </beans:bean>
            </beans:constructor-arg>
            <beans:property name="processor">
                <beans:bean class="org.springframework.security.saml.processor.SAMLProcessorImpl">
                    <beans:constructor-arg ref="soapBinding"/>
                </beans:bean>
            </beans:property>
        </beans:bean>
    </beans:constructor-arg>
</beans:bean>

<beans:bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding">
    <beans:constructor-arg ref="parserPool"/>
</beans:bean>

<beans:bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding">
    <beans:constructor-arg ref="parserPool"/>
</beans:bean>

<!-- Initialization of OpenSAML library-->
<beans:bean class="org.springframework.security.saml.SAMLBootstrap"/>

<!-- Initialization of the velocity engine -->
<beans:bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>

<!-- XML parser pool needed for OpenSAML parsing -->
<beans:bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
<beans:bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>


<!-- Central storage of cryptographic keys -->
<beans:bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
    <beans:constructor-arg value="classpath:/com/wigitsrus/wigits/security/saml/sso-test.jks"/>
    <beans:constructor-arg value="${keystore.password}"/>
    <beans:constructor-arg>
        <beans:map>
            <beans:entry key="${private.key.alias}" value="${keystore.password}" />
        </beans:map>
    </beans:constructor-arg>
    <beans:constructor-arg value="${private.key.alias}"/>
</beans:bean>

我遇到的问题是：具有消息绑定urn：oasis：names：tc：SAML：2.0：bindings：HTTP-POST和过滤URL /auth.htm的端点

当我逐步浏览SAMLUtil.getEndpoint中的代码时，看起来应该匹配的端点正在使用以下位置：https ://www.wigitsrus.com/wigit/saml/SSO/alias/defaultAlias

如何设置发布终结点使用的location属性，使其与requestURL匹配？

弗拉基米尔·谢弗

您应该做的是：

从中下载当前生成的元数据https://wigitsrus.com/wigits/saml/metadata并将其存储在（例如）classpath:com/wigitsrus/wigits/security/saml/sp.xml
手动修改该文件并替换Location在AssertionConsumerService与元件https://wigitsrus.com/wigits/auth.htm

将元数据添加到列表中CachingMetadataManager，例如：

<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
    <constructor-arg>
        <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
            <constructor-arg>
                <value type="java.io.File">classpath:com/wigitsrus/wigits/security/saml/sp.xml</value>
            </constructor-arg>
            <property name="parserPool" ref="parserPool"/>
        </bean>
    </constructor-arg>
    <constructor-arg>
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
            <property name="local" value="true"/>
            <property name="alias" value="defaultAlias"/>
            <property name="securityProfile" value="metaiop"/>
            <property name="sslSecurityProfile" value="pkix"/>
            <property name="sslHostnameVerification" value="default"/>
            <property name="signMetadata" value="false"/>
            <property name="requireArtifactResolveSigned" value="true"/>
            <property name="requireLogoutRequestSigned" value="true"/>
        </bean>
    </constructor-arg>
</bean>