我正在尝试将 Spring Security SAML Extension 与 Spring Boot 集成 .
关于这件事,我确实开发了一个完整的示例应用程序 . 它的源代码可以在GitHub上找到:
- spring-boot-saml-integration on GitHub
通过将其作为Spring Boot应用程序运行(针对SDK内置的Application Server运行),WebApp可以正常工作 .
不幸的是,相同的AuthN流程在 Undertow/WildFly 上根本不起作用 .
根据日志,IdP实际执行 AuthN 过程:我的自定义 UserDetails
实现的指令正确执行 . 尽管有执行流程,但Spring并未设置并保留当前用户的权限 .
@Component
public class SAMLUserDetailsServiceImpl implements SAMLUserDetailsService {
// Logger
private static final Logger LOG = LoggerFactory.getLogger(SAMLUserDetailsServiceImpl.class);
@Override
public Object loadUserBySAML(SAMLCredential credential)
throws UsernameNotFoundException, SSOUserAccountNotExistsException {
String userID = credential.getNameID().getValue();
if (userID.compareTo("jdoe@samplemail.com") != 0) { // We're simulating the data access.
LOG.warn("SSO User Account not found into the system");
throw new SSOUserAccountNotExistsException("SSO User Account not found into the system", userID);
}
LOG.info(userID + " is logged in");
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
GrantedAuthority authority = new SimpleGrantedAuthority("ROLE_USER");
authorities.add(authority);
ExtUser userDetails = new ExtUser(userID, "password", true, true, true,
true, authorities, "John", "Doe");
return userDetails;
}
}
在调试时,我发现问题依赖于 FilterChainProxy
类 . 在运行时, ServletRequest
的属性 FILTER_APPLIED
具有空值,因此Spring清除 SecurityContextHolder
.
private final static String FILTER_APPLIED = FilterChainProxy.class.getName().concat(".APPLIED");
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
boolean clearContext = request.getAttribute(FILTER_APPLIED) == null;
if (clearContext) {
try {
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
doFilterInternal(request, response, chain);
} finally {
SecurityContextHolder.clearContext();
request.removeAttribute(FILTER_APPLIED);
}
} else {
doFilterInternal(request, response, chain);
}
}
在 VMware vFabric tc Sever 和 Tomcat ,一切都很好 . 你对解决这个问题有什么想法吗?
1 回答
调查问题我注意到在auth请求中有一些混乱的cookie和引用 .
目前,如果将Web应用程序上下文更改为根上下文,则wildfly身份验证将起作用:
重新启动wildfly并清除cookie后,所有应该按预期工作