I am trying to integrate SAML SSO for spring boot app, however, I want to configure the SAML response URL (consumer URL redirected by idp), to something other url, ex: /example/SAMLConsumer
Is is possible?
Yes, this is possible.
In the WebSSOProcessorFilter use the setFilterProcessUrl('desired_url')
make sure the filter added to the chain is mapped to same url pattern desired_url/**
re-generate Service Provider metadata (in case this is not automated generation).
Related
I can’t seem to figure out how to use two different IDPS and 2 different applications URLs. I had this working on weblogic but not with a spring boot application using the spring saml security.
One important part is that we have two different URLs.
Proxy URL for external users. They must use this URL as they are not in the network.
a. These users hit IDP-A
Internal URL for internal users.
b. These users hit IDP-B
The metadata we sent to the each of the IDPs use the same entity ID but different endpoint URLs.
One thing we did was turn on discovery and where able to hit each IDP but it always redirects us to the internal URL. I noticed that AssertionConsumerServiceUrl is always set to the internal URL, which explains why it is returned to is the same. In our weblogic implementation we do not send AssertionConsumerServiceUrl.
Can we exclude AssertionConsumerServiceUrl?
Do you know if the configuration I am attempting to do is even possible?
you can autowire the MetadataManager bean in your service and then call the addMetadataProvider to inititate a metadata.
You can get the entityId from the Metadata Obtained from IDP and can append to the url :
'http:///saml/login?idp=' by hitting this url it will redirect you to appropriate IDP login.
I have searched enough but I haven't got a clear answer and thus posting this question.
I have an existing application which uses spring security for authentication.
Current implementation uses a custom implementation of UsernamePasswordAuthenticationFilter for doing this.
Thus the flow is something like below(in very simple terms):
inputrequest>DelegatingFilterProxy>LoginUrlAuthenticationEntryPoint>CustomUsernamePasswordAuthenticationFilter>AuthenticationManager>CustomAuthenticationProvider
Now I have a requirement to implement SSO (since the user is already asusmed to be authenticated) in some scenarios.
The requirement states that if I have a specific request parameter present then I need to automatically authenticate the request without bothering about user/password.
So it is same set of resources and I do not have to authenticate user/password if the specific SSO related request parameter is present.
e.g
suppose a resource \test\bus is a secure resource.
if I come from normal way then we need to check if the user is authenticated or nor and force user to put valid user/password
if I come from SSO channel then I need to show the \test\bus resource as the user is already authenticated.
currently all the access restrictions are put through <http> element
e.g the snippet of security-config.xml is as follows:
Query: What options do I have in this case. I can think of below options:
Pre-authenticate the user before spring security framework kicks in. This will mean creating an authentication token and putting in spring context before spring security filter is called. This can be done through another filter which is called before spring security filter chain. I have tested it and it works.
Create another custom security filter which set-up the authentication token. I am not clear if this is correct approach as not sure when do we create multiple custom security filter
Create another custom authentication provider e.g SSOCustomAuthenticationProvider. This provider will be called in the existing current flow as we can have multiple authentication providers to a authentication manager. The only issue is that in order to achieve this I have to change the request url to authentication filter's target url so that spring security doesn't check for authentication.
to explain more,
let's say request uri is /test/bus, I will write a filter which will intercept the request and change it to /test/startlogin. This is currently my CustomUsernamePasswordAuthenticationFilter's target url i.e
<property name="filterProcessesUrl" value="/test/startlogin"/>
The flow will be
inputrequest>DelegatingFilterProxy>LoginUrlAuthenticationEntryPoint>CustomUsernamePasswordAuthenticationFilter>AuthenticationManager>SSOCustomAuthenticationProvider
I have tested this and this works. Is this a valid approach or a hack.
Is there any other viable option available with me.
Thanks for reading this.
I have built a simple Spring Boot application that acts as an OAuth 2.0 client using the #EnableOAuth2Client annotation. My application is creating an OAuth2RestTemplate and the OAuth dance succeeds nicely.
The problem is that when I access my application e.g. at http://localhost:8080/someRequest (where the method serving this resource uses the OAuth2RestTemplate#getObject method to retrieve some remote resources, I end up with sth. like http://localhost:8080/someRequest?code=ABC&state=DEF in my browser.
Is there a way to get rid of these parameters using some Spring configuration magic or do I have to do that myself? I saw that the sample Tonr application suffers from the same problem.
The issue is that you have to handle the callback url that u have registered with OAuth2 provider. when you transfer code and state parameter to the provider Server for access token and refresh token, the provider sends request back to ur callback URL with access token. In callback URL u now have to check if access token is available, you redirect to the original request(u need to save original request before OAuth2 dance).
I know this stuff theoretically, but didnot find Spring-Security-OAuth2 example for handling the callback URL.
I asked same question, but didnot get any answer.
OAuth2 Dance With Spring Security
However without using spring security, i found one link which shows handling callback url manually.It will help u in understanding the flow.
Google Handle callback URl
If u found any example of spring secrity handling callback url , Share with me.
I found this as an issue with spring security oAuth2. Check this JIRA Issue
I need to submit a simple and unique request to a web service hosted inside a regular web based Grails application which is secured with Spring Security plugin. My request should look like:
curl -F username=john password=mypass message="Hello World" http://localhost:8080/myapp/restapi/echo
No work flow, just an unique request and I'm done.
I have a simple secured controller to respond to this request as follows:
#Secured(["ROLE_REST_CLIENT"])
class RestapiController {
def echo() {
respond params.message
}
}
The issue here is that spring security default behavior is to redirect any new request to the login page. How can I change that, search the http params for the user name and password, register the user and go on TO the requested controller action, all in the same unique stateless request?
I had a look at Spring Security REST Plugin but it is aimed to provide a token-based work flow which isn't exactly what I need. (I would also appreciate some guidance to this work flow approach as an optional solution)
I'm looking for a way to secure a web service whereby the user id is to be got from the request headers.
The ssl handshake is taken care of so I'm not sure if I need to use a subclass of org.springframework.ws.soap.security.AbstractWsSecurityInterceptor
Once the user id is got from the request then I'd like to use the standard spring security to authenticate the user as I am already doing this for spring mvc projects.
Thanks
I have used XwsSecurityInterceptor (one of the implementations of AbstractWsSecurityInterceptor) succesfully for a few projects. I'm not sure if the way of passing the userId is already defined or that you can propose using xws-security instead.
If the way of passing the id is already defined, creating a new implementation of AbstractWsSecurityInterceptor shouldn't be too much trouble. Take a look at the handleRequest method where you can access the soap request and check for the header.
You can simply wire up the new security interceptor in the endpoint mapping to debug it.