Geek Answers Handbook

Spring Security SAML OpenAM

I am trying to develop a web application using an interface with angular2 and a REST backend with spring loading.

I need to manage three types of authentication: - basic login / password for the re-database - ldap authentication - sso authentification

When the user is authenticated, the JWT generates a backend and sends it to the external interface. All requests must contain jwt in the header to communicate with REST.

Currently my websecurity configuration is:

@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) @EnableTransactionManagement public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { private static final String LDAP_AUTHENTIFICATION = "ldap"; private static final String SSO_AUTHENTIFICATION = "sso"; @Autowired private DataBaseAuthentificationProvider authProvider; @Value("${ldap.provider.url}") private String ldapProviderUrl; @Value("${ldap.user.dn.patterns}") private String userDnPatterns; @Value("${authentification.type}") private String authentificationType; public WebSecurityConfiguration() { /* * Ignores the default configuration, useless in our case (session * management, etc..) */ super(true); } /** * Configure AuthenticationManagerBuilder to use the specified * DetailsService. * * @param auth * the {@link AuthenticationManagerBuilder} to use * @throws Exception */ @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { if (StringUtils.equals(authentificationType, LDAP_AUTHENTIFICATION)) { // LDAP auth.ldapAuthentication().userDnPatterns(userDnPatterns).contextSource().url(ldapProviderUrl); } else if (StringUtils.equals(authentificationType, SSO_AUTHENTIFICATION)) { // SSO } else { // Database auth.authenticationProvider(authProvider); } } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { /* * Overloaded to expose Authenticationmanager bean created by * configure(AuthenticationManagerBuilder). This bean is used by the * AuthenticationController. */ return super.authenticationManagerBean(); } @Override protected void configure(HttpSecurity httpSecurity) throws Exception { /* * the secret key used to signe the JWT token is known exclusively by * the server. With Nimbus JOSE implementation, it must be at least 256 * characters longs. */ String secret = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("secret.key"), Charset.defaultCharset()); httpSecurity.addFilterAfter(jwtTokenAuthenticationFilter("/**", secret), ExceptionTranslationFilter.class) .addFilterBefore(new SimpleCORSFilter(), CorsFilter.class) /* * Exception management is handled by the * authenticationEntryPoint (for exceptions related to * authentications) and by the AccessDeniedHandler (for * exceptions related to access rights) */ .exceptionHandling().authenticationEntryPoint(new SecurityAuthenticationEntryPoint()) .accessDeniedHandler(new RestAccessDeniedHandler()).and() /* * anonymous() consider no authentication as being anonymous * instead of null in the security context. */ .anonymous().and() /* No Http session is used to get the security context */ .sessionManagement().sessionCreationPolicy(STATELESS).and().authorizeRequests() /* * All access to the authentication service are permitted * without authentication (actually as anonymous) */ .antMatchers("/auth/**").permitAll() /* * All the other requests need an authentication. Role access is * done on Methods using annotations like @PreAuthorize */ .anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf() .csrfTokenRepository(csrfTokenRepository()).disable(); } private CsrfTokenRepository csrfTokenRepository() { HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository(); repository.setHeaderName("X-XSRF-TOKEN"); // this is the name angular // uses by default. return repository; } private JwtTokenAuthenticationFilter jwtTokenAuthenticationFilter(String path, String secret) { return new JwtTokenAuthenticationFilter(path, secret); }

Critical Point - SSO:

The behavior I would like is the following:

The client requests a secure REST resource:

  • if the user is already registered in OpenAM => resource request back
  • if the user is not registered yet => the user is redirected to OpenAM and provides its credentials => the user can access the resource

First, I enabled OpenAM on the virtual machine, created SAMLv2 providers, and got my idp.xml.

I am trying to use https://github.com/vdenotaris/spring-boot-security-saml-sample to add sso authentification, but it does not work.

Can anyone give me steps to integrate this into my websecurity configuration?

Thanks!

+7
java spring-security single-sign-on openam
source share

No one has answered this question yet.

See related questions:

1873
What is the difference between @Component, @Repository and @Service annotations in Spring?
27
Spring Integration OAuth2 Security and Spring Social
thirteen
Security Configuration Using Spring-boot
5
Spring Security OAuth2 Redirect Loop
2
Spring Security OAuth2 SSO with custom provider + logout
0
In Spring Security, how can I get exceptions from a custom AuthenticationManager?
0
Spring Security Thymleaf Static Resources Not Loading
0
OpenAM redirects IDP default URL when user is not found as SP
0
Spring Security Cannot Log In After Invalid Credentials
0
How can I dynamically authenticate a user against db or ldap with spring security?

More articles:


All Articles