I am using Spring Security in one of my project and now want to introduce Spring SAML. I have used Spring's XML configuration so far. Can I integrate SAML using Java based configuration?
I am new to SAML integration.
Asked
Active
Viewed 3,462 times
2 Answers
3
Yes you can configure Spring SAML using Java just like you can with the rest of Spring Security.
You need a WebSecurityConfig class with a configure class like this
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.authenticationEntryPoint(samlEntryPoint());
http
.csrf()
.disable();
http
.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/error").permitAll()
.antMatchers("/saml/**").permitAll()
.anyRequest().authenticated();
http
.logout()
.logoutSuccessUrl("/");
}
You just need to write all the different beans together using Java, e.g. set up the SecurityFilterChain like this
public FilterChainProxy samlFilter() throws Exception {
List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>();
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"),
samlEntryPoint()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"),
samlLogoutFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/metadata/**"),
metadataDisplayFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
samlWebSSOProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSOHoK/**"),
samlWebSSOHoKProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"),
samlLogoutProcessingFilter()));
chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"),
samlIDPDiscovery()));
return new FilterChainProxy(chains);
}
Look at this project https://github.com/vdenotaris/spring-boot-security-saml-sample as an example for how it is done. The com.vdenotaris.spring.boot.security.saml.web.config.WebSecurityConfig.java shows the ingredients of the secret sauce.
MarcFasel
- 1,080
- 10
- 19
-
Thanks for your answer, just one more question, If I have both Spring Security (in xml configuration) and Spring SAML (in Java configuration) what will take precedence ? any idea ? – Amit Aug 27 '15 at 06:15
-
Don't know, but you should be able to see it when the application is starting up. Spring will tell you which beans are being configured. Better is to control the order of initialisation yourself. Here is the relevant documentation how to combine XML and JavaConfig with an explanation how to bootstrap JavaConfig from XML and vice versa: http://docs.spring.io/spring-javaconfig/docs/1.0.0.M4/reference/html/ch06.html – MarcFasel Aug 27 '15 at 22:57
1
you can use xml configuration for SAML integration. It is hard to create it from scratch as a starter, so i suggest you to download spring saml sample application and create your configuration based on it. Integration to your existing application is just a spring security integration.
ibrahimbayer
- 262
- 1
- 9
-
Actually I want SAML configuration to be Java based because that way I will be able to enable/disable it based on some database value. – Amit Aug 25 '15 at 11:01
-
if you are new to SAML i suggest you to base on existing sample, create your configuration store it and then change configuration to java definition. The fact is existing official sample is based on xml config. Since config is based on Spring Security and security has java config. I think you can manage it. – ibrahimbayer Aug 25 '15 at 17:22