春季安全
如果 Spring Security 在类路径上,那么 Web 应用默认是安全的。
这包括确保Spring靴/错误端点。
Spring Boot 依赖于 Spring Security 的内容协商策略来决定是否使用httpBasic或表格登录.
为了为网页应用添加方法级安全性,你也可以添加@EnableMethodSecurity用你想要的设置。
更多信息可见《春季安全参考指南》。
默认用户详情服务只有一个用户。
用户名是用户密码是随机的,应用程序启动时以WARN级别打印,如下示例所示:
Using generated security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
This generated password is for development use only. Your security configuration must be updated before running your application in production.如果你微调日志配置,确保org.springframework.boot.security.autoconfigure类别设置为对数警告——级别的信息。
否则,默认密码不会被打印出来。 |
您可以通过提供以下信息来更改用户名和密码spring.security.user.name和spring.security.user.password.
你默认在网页应用中获得的基本功能包括:
-
一个
用户详情服务(或ReactiveUserDetailsService对于WebFlux应用来说),具有内存存储的豆子和一个生成密码的用户(参见SecurityProperties.User对于用户的属性)。 -
基于表单的登录或HTTP Basic安全(取决于
接受请求中的头部)用于整个应用程序(包括执行器端点,如果执行器在类路径上)。 -
一个
默认认证事件发布者用于发布认证事件。
你可以提供不同的选择认证事件出版者通过加一颗豆子。
MVC安全
默认安全配置实现于安全自动配置和UserDetailsServiceAutoConfiguration.安全自动配置进口SpringBootWebSecurityConfiguration用于网络安全和UserDetailsServiceAutoConfiguration用于身份验证。
要完全关闭默认的Web应用安全配置,包括执行器安全,或合并多个Spring Security组件,如OAuth2客户端和资源服务器,需添加一个类型的bean。安全滤网链(这样做并不会禁用用户详情服务配置)。
还要关闭用户详情服务配置,添加一个类型的豆用户详情服务,认证提供者或认证管理器.
自动配置用户详情服务当以下 Spring Security 模块出现在类路径上时,也会退后:
-
Spring-security-oAuth2-client -
Spring-security-oAuth2-Resource-Server -
Spring-security-saml2-service-provider
使用用户详情服务除了一个或多个依赖关系外,还要定义你自己的依赖InMemoryUserDetailsManager豆。
WebFlux 安全
类似于 Spring MVC 应用程序,您可以通过添加Spring Boot启动Dependency。
默认安全配置实现于ReactiveWebSecurityAutoConfiguration和ReactiveUserDetailsServiceAutoConfiguration.ReactiveWebSecurityAutoConfiguration进口WebFluxSecurityConfiguration用于网络安全和ReactiveUserDetailsServiceAutoConfiguration用于身份验证。
除了响应式网页应用外,后者在使用 RSocket 时也会被自动配置。
要完全关闭默认的网页应用安全配置,包括执行器安全,请添加一个类型的豆子WebFilterChainProxy(这样做并不会禁用ReactiveUserDetailsService配置)。
还要关闭ReactiveUserDetailsService配置,添加一个类型的豆ReactiveUserDetailsService或ReactiveAuthenticationManager.
当以下 Spring Security 模块中的任何一个出现在类路径上时,自动配置也会退后:
-
Spring-security-oAuth2-client -
Spring-security-oAuth2-Resource-Server
使用ReactiveUserDetailsService除了一个或多个依赖关系外,还要定义你自己的依赖MapReactiveUserDetailsService豆。
访问规则以及多个 Spring Security 组件(如 OAuth 2 客户端和资源服务器)的使用,可以通过添加自定义配置来配置安全网滤网链豆。
Spring Boot 提供了方便的方法,可用于覆盖执行器端点和静态资源的访问规则。端点请求可以用来创建ServerWebExchangeMatcher基于管理端点.web.base-path财产。
路径请求可以用来创建ServerWebExchangeMatcher针对常用地点的资源。
例如,你可以通过添加以下内容来自定义你的安全配置:
-
Java
-
Kotlin
import org.springframework.boot.security.autoconfigure.web.reactive.PathRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration(proxyBeanMethods = false)
public class MyWebFluxSecurityConfiguration {
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange((exchange) -> {
exchange.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll();
exchange.pathMatchers("/foo", "/bar").authenticated();
});
http.formLogin(withDefaults());
return http.build();
}
}import org.springframework.boot.security.autoconfigure.web.reactive.PathRequest
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.Customizer.withDefaults
import org.springframework.security.config.web.server.ServerHttpSecurity
import org.springframework.security.web.server.SecurityWebFilterChain
@Configuration(proxyBeanMethods = false)
class MyWebFluxSecurityConfiguration {
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http.authorizeExchange { spec ->
spec.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
spec.pathMatchers("/foo", "/bar").authenticated()
}
http.formLogin(withDefaults())
return http.build()
}
}OAuth2
OAuth2 是一个广泛使用的授权框架,由 Spring 支持。
客户端
如果你有Spring-security-oAuth2-client在你的类路径上,你可以利用一些自动配置来设置 OAuth2/Open ID Connect 客户端。
该配置利用了以下属性OAuth2ClientProperties.
这些特性同样适用于servlet和响应式应用。
你可以在spring.security.oauth2.client前缀,如下示例所示:
-
Properties
-
YAML
spring.security.oauth2.client.registration.my-login-client.client-id=abcd
spring.security.oauth2.client.registration.my-login-client.client-secret=password
spring.security.oauth2.client.registration.my-login-client.client-name=Client for OpenID Connect
spring.security.oauth2.client.registration.my-login-client.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-login-client.scope=openid,profile,email,phone,address
spring.security.oauth2.client.registration.my-login-client.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}
spring.security.oauth2.client.registration.my-login-client.client-authentication-method=client_secret_basic
spring.security.oauth2.client.registration.my-login-client.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.my-client-1.client-id=abcd
spring.security.oauth2.client.registration.my-client-1.client-secret=password
spring.security.oauth2.client.registration.my-client-1.client-name=Client for user scope
spring.security.oauth2.client.registration.my-client-1.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-1.scope=user
spring.security.oauth2.client.registration.my-client-1.redirect-uri={baseUrl}/authorized/user
spring.security.oauth2.client.registration.my-client-1.client-authentication-method=client_secret_basic
spring.security.oauth2.client.registration.my-client-1.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.my-client-2.client-id=abcd
spring.security.oauth2.client.registration.my-client-2.client-secret=password
spring.security.oauth2.client.registration.my-client-2.client-name=Client for email scope
spring.security.oauth2.client.registration.my-client-2.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-2.scope=email
spring.security.oauth2.client.registration.my-client-2.redirect-uri={baseUrl}/authorized/email
spring.security.oauth2.client.registration.my-client-2.client-authentication-method=client_secret_basic
spring.security.oauth2.client.registration.my-client-2.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=https://my-auth-server.com/oauth2/authorize
spring.security.oauth2.client.provider.my-oauth-provider.token-uri=https://my-auth-server.com/oauth2/token
spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=https://my-auth-server.com/userinfo
spring.security.oauth2.client.provider.my-oauth-provider.user-info-authentication-method=header
spring.security.oauth2.client.provider.my-oauth-provider.jwk-set-uri=https://my-auth-server.com/oauth2/jwks
spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=namespring:
security:
oauth2:
client:
registration:
my-login-client:
client-id: "abcd"
client-secret: "password"
client-name: "Client for OpenID Connect"
provider: "my-oauth-provider"
scope: "openid,profile,email,phone,address"
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
client-authentication-method: "client_secret_basic"
authorization-grant-type: "authorization_code"
my-client-1:
client-id: "abcd"
client-secret: "password"
client-name: "Client for user scope"
provider: "my-oauth-provider"
scope: "user"
redirect-uri: "{baseUrl}/authorized/user"
client-authentication-method: "client_secret_basic"
authorization-grant-type: "authorization_code"
my-client-2:
client-id: "abcd"
client-secret: "password"
client-name: "Client for email scope"
provider: "my-oauth-provider"
scope: "email"
redirect-uri: "{baseUrl}/authorized/email"
client-authentication-method: "client_secret_basic"
authorization-grant-type: "authorization_code"
provider:
my-oauth-provider:
authorization-uri: "https://my-auth-server.com/oauth2/authorize"
token-uri: "https://my-auth-server.com/oauth2/token"
user-info-uri: "https://my-auth-server.com/userinfo"
user-info-authentication-method: "header"
jwk-set-uri: "https://my-auth-server.com/oauth2/jwks"
user-name-attribute: "name"对于支持 OpenID Connect 发现的 OpenID Connect 提供商,配置可以进一步简化。
提供者需要配置为发行者-URI即其断言为发行者标识符的URI。
例如,如果发行者-URI只要 是“https://example.com”,则会向“https://example.com/.well-known/openid-configuration”发送“OpenID Provider 配置请求”。
预计结果将是“OpenID Provider 配置响应”。
以下示例展示了如何配置OpenID Connect提供商的发行者-URI:
-
Properties
-
YAML
spring.security.oauth2.client.provider.oidc-provider.issuer-uri=https://dev-123456.oktapreview.com/oauth2/default/spring:
security:
oauth2:
client:
provider:
oidc-provider:
issuer-uri: "https://dev-123456.oktapreview.com/oauth2/default/"默认情况下,Spring Security的OAuth2LoginAuthenticationFilter只处理匹配的URL。/login/oauth2/code/*.
如果你想自定义重定向-uri要使用不同的图案,你需要提供配置来处理该自定义图案。
例如,对于servlet应用,你可以添加自己的安全滤网链类似于以下内容:
-
Java
-
Kotlin
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
public class MyOAuthClientConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) {
http
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated()
)
.oauth2Login((login) -> login
.redirectionEndpoint((endpoint) -> endpoint
.baseUri("/login/oauth2/callback/*")
)
);
return http.build();
}
}import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.invoke
import org.springframework.security.web.SecurityFilterChain
@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
open class MyOAuthClientConfiguration {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2Login {
redirectionEndpoint {
baseUri = "/login/oauth2/callback/*"
}
}
}
return http.build()
}
}Spring Boot 会自动配置InMemoryOAuth2AuthorizedClientServiceSpring Security 用于管理客户端注册。
这InMemoryOAuth2AuthorizedClientService功能有限,我们建议仅在开发环境中使用它。
对于生产环境,考虑使用JdbcOAuth2AuthorizedClientService或者创建你自己的实现OAuth2AuthorizedClientService. |
OAuth2 通用服务商客户注册
对于常见的OAuth2和OpenID提供商,包括Google、Github、Facebook和Okta,我们提供了一组提供者默认设置(谷歌,GitHub,脸书和八分别是 。
如果你不需要自定义这些服务商,你可以设置提供商归入你需要推断默认值的那个。
此外,如果客户端注册的密钥与默认支持的提供者匹配,Spring Boot 也会推断出这一点。
换句话说,以下示例中的两种配置使用了 Google 提供者:
-
Properties
-
YAML
spring.security.oauth2.client.registration.my-client.client-id=abcd
spring.security.oauth2.client.registration.my-client.client-secret=password
spring.security.oauth2.client.registration.my-client.provider=google
spring.security.oauth2.client.registration.google.client-id=abcd
spring.security.oauth2.client.registration.google.client-secret=passwordspring:
security:
oauth2:
client:
registration:
my-client:
client-id: "abcd"
client-secret: "password"
provider: "google"
google:
client-id: "abcd"
client-secret: "password"资源服务器
如果你有Spring-security-oAuth2-Resource-Server在你的类路径上,Spring Boot 可以搭建一个 OAuth2 资源服务器。
对于JWT配置,需要指定JWK集URI或OIDC发行URI,如下示例所示:
-
Properties
-
YAML
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://example.com/oauth2/default/v1/keysspring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: "https://example.com/oauth2/default/v1/keys"-
Properties
-
YAML
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-123456.oktapreview.com/oauth2/default/spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: "https://dev-123456.oktapreview.com/oauth2/default/"如果授权服务器不支持 JWK 集合 URI,你可以用用于验证 JWT 签名的公钥配置资源服务器。
这可以通过spring.security.oauth2.resourceserver.jwt.public-key-location属性,其中值需要指向包含 PEM 编码的 x509 格式公钥的文件。 |
这spring.security.oauth2.resourceserver.jwt.audiences属性可用于指定JWT中aud权利要求的期望值。
例如,要求JWT包含一个AUD权利要求,其价值为我的观众:
-
Properties
-
YAML
spring.security.oauth2.resourceserver.jwt.audiences[0]=my-audiencespring:
security:
oauth2:
resourceserver:
jwt:
audiences:
- "my-audience"这些特性同样适用于servlet和响应式应用。
或者,你可以自己定义Jwt解码器BEAN 用于 servlet 应用或ReactiveJwt解码器用于被动应用。
在使用不透明Tokens代替JWT的情况下,你可以配置以下属性,通过内省验证Tokens:
-
Properties
-
YAML
spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=https://example.com/check-token
spring.security.oauth2.resourceserver.opaquetoken.client-id=my-client-id
spring.security.oauth2.resourceserver.opaquetoken.client-secret=my-client-secretspring:
security:
oauth2:
resourceserver:
opaquetoken:
introspection-uri: "https://example.com/check-token"
client-id: "my-client-id"
client-secret: "my-client-secret"同样,这些性质同样适用于servlet和响应式应用。
或者,你可以自己定义OpaqueTokenIntrospectorBEAN 用于 servlet 应用或ReactiveOpaqueTokenIntrospector用于被动应用。
授权服务器
如果你有Spring-security-oauth2-authorization-server在你的类路径上,你可以利用一些自动配置功能,建立基于 Servlet 的 OAuth2 授权服务器。
你可以在spring.security.oauth2.authorizationserver.client前缀,如下示例所示:
-
Properties
-
YAML
spring.security.oauth2.authorizationserver.client.my-client-1.registration.client-id=abcd
spring.security.oauth2.authorizationserver.client.my-client-1.registration.client-secret={noop}secret1
spring.security.oauth2.authorizationserver.client.my-client-1.registration.client-authentication-methods[0]=client_secret_basic
spring.security.oauth2.authorizationserver.client.my-client-1.registration.authorization-grant-types[0]=authorization_code
spring.security.oauth2.authorizationserver.client.my-client-1.registration.authorization-grant-types[1]=refresh_token
spring.security.oauth2.authorizationserver.client.my-client-1.registration.redirect-uris[0]=https://my-client-1.com/login/oauth2/code/abcd
spring.security.oauth2.authorizationserver.client.my-client-1.registration.redirect-uris[1]=https://my-client-1.com/authorized
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[0]=openid
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[1]=profile
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[2]=email
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[3]=phone
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[4]=address
spring.security.oauth2.authorizationserver.client.my-client-1.require-authorization-consent=true
spring.security.oauth2.authorizationserver.client.my-client-1.token.authorization-code-time-to-live=5m
spring.security.oauth2.authorizationserver.client.my-client-1.token.access-token-time-to-live=10m
spring.security.oauth2.authorizationserver.client.my-client-1.token.access-token-format=reference
spring.security.oauth2.authorizationserver.client.my-client-1.token.reuse-refresh-tokens=false
spring.security.oauth2.authorizationserver.client.my-client-1.token.refresh-token-time-to-live=30m
spring.security.oauth2.authorizationserver.client.my-client-2.registration.client-id=efgh
spring.security.oauth2.authorizationserver.client.my-client-2.registration.client-secret={noop}secret2
spring.security.oauth2.authorizationserver.client.my-client-2.registration.client-authentication-methods[0]=client_secret_jwt
spring.security.oauth2.authorizationserver.client.my-client-2.registration.authorization-grant-types[0]=client_credentials
spring.security.oauth2.authorizationserver.client.my-client-2.registration.scopes[0]=user.read
spring.security.oauth2.authorizationserver.client.my-client-2.registration.scopes[1]=user.write
spring.security.oauth2.authorizationserver.client.my-client-2.jwk-set-uri=https://my-client-2.com/jwks
spring.security.oauth2.authorizationserver.client.my-client-2.token-endpoint-authentication-signing-algorithm=RS256spring:
security:
oauth2:
authorizationserver:
client:
my-client-1:
registration:
client-id: "abcd"
client-secret: "{noop}secret1"
client-authentication-methods:
- "client_secret_basic"
authorization-grant-types:
- "authorization_code"
- "refresh_token"
redirect-uris:
- "https://my-client-1.com/login/oauth2/code/abcd"
- "https://my-client-1.com/authorized"
scopes:
- "openid"
- "profile"
- "email"
- "phone"
- "address"
require-authorization-consent: true
token:
authorization-code-time-to-live: 5m
access-token-time-to-live: 10m
access-token-format: "reference"
reuse-refresh-tokens: false
refresh-token-time-to-live: 30m
my-client-2:
registration:
client-id: "efgh"
client-secret: "{noop}secret2"
client-authentication-methods:
- "client_secret_jwt"
authorization-grant-types:
- "client_credentials"
scopes:
- "user.read"
- "user.write"
jwk-set-uri: "https://my-client-2.com/jwks"
token-endpoint-authentication-signing-algorithm: "RS256"这客户端秘密属性必须是配置后能够匹配的格式PasswordEncoder.
默认实例PasswordEncoder通过PasswordEncoderFactories.createDelegatingPasswordEncoder(). |
Spring Boot 为 Spring 授权服务器提供的自动配置旨在快速启动。 大多数应用都需要自定义,并且需要定义多个豆子来覆盖自动配置。
以下组件可定义为覆盖 Spring 授权服务器特有自动配置的豆子:
Spring Boot 会自动配置InMemoryRegisteredClientRepositorySpring授权服务器用于管理注册客户端。
这InMemoryRegisteredClientRepository功能有限,我们建议仅在开发环境中使用它。
对于生产环境,考虑使用JdbcRegisteredClientRepository或者创建你自己的实现注册客户仓库. |
更多信息可见 Spring Security Reference Documentation 的入门章节。
SAML 2.0
依赖党
如果你有Spring-security-saml2-service-provider在你的类路径上,你可以利用一些自动配置来设置SAML 2.0依赖方。
该配置利用了以下属性Saml2RelieingPartyProperties(Saml2ReliingPartyProperties).
依赖方注册代表身份提供者(IDP)与服务提供商SP之间的配对配置。
你可以根据Spring.security.SAML2.依赖方前缀,如下示例所示:
-
Properties
-
YAML
spring.security.saml2.relyingparty.registration.my-relying-party1.signing.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party1.signing.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party1.decryption.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party1.decryption.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party1.singlelogout.url=https://myapp/logout/saml2/slo
spring.security.saml2.relyingparty.registration.my-relying-party1.singlelogout.response-url=https://remoteidp2.slo.url
spring.security.saml2.relyingparty.registration.my-relying-party1.singlelogout.binding=POST
spring.security.saml2.relyingparty.registration.my-relying-party1.assertingparty.verification.credentials[0].certificate-location=path-to-verification-cert
spring.security.saml2.relyingparty.registration.my-relying-party1.assertingparty.entity-id=remote-idp-entity-id1
spring.security.saml2.relyingparty.registration.my-relying-party1.assertingparty.sso-url=https://remoteidp1.sso.url
spring.security.saml2.relyingparty.registration.my-relying-party2.signing.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party2.signing.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party2.decryption.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party2.decryption.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.verification.credentials[0].certificate-location=path-to-other-verification-cert
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.entity-id=remote-idp-entity-id2
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.sso-url=https://remoteidp2.sso.url
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.singlelogout.url=https://remoteidp2.slo.url
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.singlelogout.response-url=https://myapp/logout/saml2/slo
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.singlelogout.binding=POSTspring:
security:
saml2:
relyingparty:
registration:
my-relying-party1:
signing:
credentials:
- private-key-location: "path-to-private-key"
certificate-location: "path-to-certificate"
decryption:
credentials:
- private-key-location: "path-to-private-key"
certificate-location: "path-to-certificate"
singlelogout:
url: "https://myapp/logout/saml2/slo"
response-url: "https://remoteidp2.slo.url"
binding: "POST"
assertingparty:
verification:
credentials:
- certificate-location: "path-to-verification-cert"
entity-id: "remote-idp-entity-id1"
sso-url: "https://remoteidp1.sso.url"
my-relying-party2:
signing:
credentials:
- private-key-location: "path-to-private-key"
certificate-location: "path-to-certificate"
decryption:
credentials:
- private-key-location: "path-to-private-key"
certificate-location: "path-to-certificate"
assertingparty:
verification:
credentials:
- certificate-location: "path-to-other-verification-cert"
entity-id: "remote-idp-entity-id2"
sso-url: "https://remoteidp2.sso.url"
singlelogout:
url: "https://remoteidp2.slo.url"
response-url: "https://myapp/logout/saml2/slo"
binding: "POST"对于SAML2的注销,默认情况下,Spring Security的Saml2LogoutRequestFilter和Saml2LogoutResponseFilter仅处理匹配的 URL/登出/SAML2/SLO.
如果你想自定义网址AP发起的登出请求会被发送到或响应网址AP会发送登出响应,如果要使用不同的模式,你需要配置来处理该自定义模式。
例如,对于servlet应用,你可以添加自己的安全滤网链类似于以下内容:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration(proxyBeanMethods = false)
public class MySamlRelyingPartyConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) {
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
http.saml2Login(withDefaults());
http.saml2Logout((saml2) -> saml2.logoutRequest((request) -> request.logoutUrl("/SLOService.saml2"))
.logoutResponse((response) -> response.logoutUrl("/SLOService.saml2")));
return http.build();
}
}