Spring安全SAML SSO重定向到控制器

Question

在IdP启动的设置中，使用代码片段重定向到控制器(/bootstrap/v1)：

public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
    SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    successRedirectHandler.setDefaultTargetUrl("/bootstrap/v1");
    return successRedirectHandler;
}

控制器代码片段：

public class BootstrapController extends ParentController {

    @RequestMapping(value = "/v1", method = RequestMethod.POST)
    public ResponseEntity<BootstrapResponseDto> bootstrap(@RequestBody BootstrapRequestDto bootstrapRequestDto, @RequestHeader(value = "MAC-ADDRESS", required = false) String macAddress) {

        myAppUserDetails userDetails = SecurityContextUtils.getUserDetails();

        BootstrapResponseDto bootstrapResponseDto = new BootstrapResponseDto();

        // some app specific logic goes here...

        return new ResponseEntity<>(bootstrapResponseDto, HttpStatus.OK);
    }
}

调试级别日志片段：

11-29-2018 13:33:53 e7a5edb2-4051-4132-bad0-856d58af1c7d ZDJhMWExYWUtZTAxNy00NDQwLWJmOTctNzcyNTJlOWUyNmQ2信息http-nio-8080-exec-6 Spring安全调试器：

收到的邮寄请求“/saml/SSO”：

org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper@28cc5b21

servletPath:/saml/SSO路径信息:空头:主机: localhost:8080用户代理: Mozilla/5.0 (Macintosh；Intel 10.13；rv:63.0) Gecko/20100101 Firefox/63.0接受: text/html，application/xhtml+xml，application/xml;q=0.9，/;q=0.8接受语言: en-US，en；接受编码: gzip，压缩内容类型: application/x-www-form-urlencoded内容-长度: 11320 dnt: 1连接:保持活动cookie: JSESSIONID=ZDJhMWExYWUtZTAxNy00NDQwLWJmOTctNzcyNTJlOWUyNmQ2升级-不安全-请求:1

安全过滤链：[ MetadataGeneratorFilter ]

WebAsyncManagerIntegrationFilter SecurityContextPersistenceFilter

CustomLogFilter HeaderWriterFilter LogoutFilter

UsernamePasswordAuthenticationFilter BasicAuthenticationFilter

FilterChainProxy RequestCacheAwareFilter

SecurityContextHolderAwareRequestFilter

AnonymousAuthenticationFilter SessionManagementFilter

ExceptionTranslationFilter FilterSecurityInterceptor ]

11-29-2018 13:33:53 e7a5edb2-4051-4132-bad0-856d58af1c7d http-nio-8080-exec-6 o.o.c.b.s.SAMLProtocolMessageXMLSignatureSecurityPolicyRule:验证协议消息签名成功，消息类型：{urn:oasis:names:tc:SAML:2.0:protocol}Response 11-29-2018 13:33:53 e7a5edb2-4051-4132-bad0-856d58af1cZDJhMWExYWUtZTAxNy00NDQwLWJmOTctNzcyNTJlOWUyNmQ2信息http-nio-8080-exec-7 Spring安全调试器：

收到了GET‘/bootstrap/v1’的请求：

org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper@5f9e2aff

servletPath:/bootstrap/v1路径信息:空头:主机: localhost:8080用户-代理: Mozilla/5.0 (Macintosh；Intel 10.13；rv:63.0) Gecko/20100101火狐/63.0接受: text/html，application/xhtml+xml，application/xml;q=0.9，/;q=0.8接受-语言: en-US，en;q=0.5接受-编码: gzip，缩减dnt: 1连接:保持-连接:升级-不安全-请求:1

安全过滤链：[ MetadataGeneratorFilter ]

WebAsyncManagerIntegrationFilter SecurityContextPersistenceFilter

CustomLogFilter HeaderWriterFilter LogoutFilter

UsernamePasswordAuthenticationFilter BasicAuthenticationFilter

FilterChainProxy RequestCacheAwareFilter

SecurityContextHolderAwareRequestFilter

AnonymousAuthenticationFilter SessionManagementFilter

ExceptionTranslationFilter FilterSecurityInterceptor ]

11-29-2018 13:33:53 e7a5edb2-4051-4132-bad0-856d58af1c7d警告http-nio-8080-exec-7 o.s.w.s.PageNotFound:不支持请求方法'GET‘

ExpiringUsernameAuthenticationToken设置为返回：

org.springframework.security.providers.ExpiringUsernameAuthenticationToken@fee70636:主体:com.security.Authentication.@325fcf8b；凭据:受保护；身份验证:真；详细信息: null；授予权限: authority_1、authority_2、authority_3、authority_4

因此，我猜我的SAML验证和用户身份验证&授权是好的。

似乎我面临的问题是HTTP无法工作。

如何配置和提交HTTP？或者我应该重构我的控制器来处理行为(这可能破坏应用程序身份验证的一部分基于表单的登录)？

HTTP状态405 -方法不允许错误

Answer 1

我认为这个问题与SAML无关，而是一个通用的Spring安全问题。此外，您也没有指定身体BootstrapRequestDto来自何处。

您有一个SuccessHandler，它执行重定向：

successRedirectHandler.setDefaultTargetUrl("/bootstrap/v1"); --执行GET

并且您有一个控制器只接受POST。你还没说明那具身体是从哪里来的？

您将需要编写一个自定义成功处理程序，发出一个post(可能是javascript自动提交表单？)，或者只需更改您的控制器以也接受GET。

public class BootstrapController extends ParentController {

    @RequestMapping(value = "/v1", method = RequestMethod.GET)
    public ResponseEntity<BootstrapResponseDto> bootstrap() {

        myAppUserDetails userDetails = SecurityContextUtils.getUserDetails();
        BootstrapResponseDto bootstrapResponseDto = new bootstrapResponseDto();

        // some app specific logic goes here...
        return new ResponseEntity<>(bootstrapResponseDto, HttpStatus.OK);
    }

    @RequestMapping(value = "/v1", method = RequestMethod.POST)
    public ResponseEntity<BootstrapResponseDto> bootstrap(@RequestBody BootstrapRequestDto bootstrapRequestDto, @RequestHeader(value = "MAC-ADDRESS", required = false) String macAddress) {

        myAppUserDetails userDetails = SecurityContextUtils.getUserDetails();

        BootstrapResponseDto bootstrapResponseDto = new BootstrapResponseDto();

        // some app specific logic goes here...

        return new ResponseEntity<>(bootstrapResponseDto, HttpStatus.OK);
    }
}