5

I have an application that uses spring security basic authentication which validates user details against the database. There are a specific set of users who are validated against SSO database. Using SAML, I was able to validate against SSO database.

But the problem is how to integrate both basic authentication and SAML authentication in a single application and direct the user to a specific authentication. Another reason, being both use different authentication providers as well.

I have used spring-saml example to configure SAML.

ANother problem is with the intercept-url patterns. In the below configuration, both the security configurations are not mapped with PATTERN attribute because of which exception when server is started as there are two configurations which are mapped to /** (any request). How to resolve this exception?

For eg:

<security:http access-denied-page="/saml/web/metadata/login">
    <security:form-login login-processing-url="/saml/web/login" login-page="/saml/web/metadata/login" default-target-url="/saml/web/metadata"/>
    <security:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/logout" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/home" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
</security:http>

<security:http pattern="/saml/mysignin" entry-point-ref="samlEntryPoint">
    <security:intercept-url pattern="/saml/mysignin" access="IS_AUTHENTICATED_FULLY"/>
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
    <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>

<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map request-matcher="ant">
        <security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
        <security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
        <security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
        <security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
        <security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
        <security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
        <security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
    </security:filter-chain-map>
</bean>
SM KUMAR
  • 475
  • 2
  • 8
  • 13
  • Have you been able to configure it? I've got the same problem and I haven't understood how to set http patterns – Chris Apr 30 '15 at 15:07

1 Answers1

3

The sample application in Spring SAML 1.0.0 contains both basic authentication with username and password and SAML-based authentication. Use it as an example.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • Could you point out where in the sample application it does this. In the security context, it maps everything (/**) to the samlEntryPoint. I don't see an example where it does both. – mmaceachran Aug 24 '16 at 02:43
  • @Vladimir Schafer I also want to achieve this and not able to find a solution for it. Can you share how to map differrent urls for spring security basic authentication and SAML authentication ? – Amit Sep 20 '17 at 07:15
  • 1
    https://github.com/spring-projects/spring-security-saml/blob/master/sample/src/main/webapp/WEB-INF/securityContext.xml#L22 - which uses form-login for subset of the application. You could also for example write your custom EntryPoint which sends user to the correct place for authentication, or put SAMLEntryPoint to e.g. pattern /samlLogin and redirect user there when you require SAML auth. There's many possibilities, you might want to read more about EntryPoints in Spring Security documentation. – Vladimír Schäfer Sep 20 '17 at 08:16