We're currently attempting to add SAML integration to our project and one of the requirements is that an administrator can use the system to add authentication to a part of the website.
For instance, if the app was hosted at "foo.com" then they would be able to specify that all pages that start with "foo.com/secret" should be authenticated using SAML.
I know how this can be done statically on system start up but I'm struggling to find any information on how to alter the Spring Security settings at runtime.
I'm currently trying to test this out on the example saml project which can be found here: https://github.com/vdenotaris/spring-boot-security-saml-sample
The configure method of the WebSecurityConfig class looks like the following:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.authenticationEntryPoint(samlEntryPoint());
http
.csrf()
.disable();
http
.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
.addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/error").permitAll()
.antMatchers("/saml/**").permitAll()
.anyRequest().authenticated();
http
.logout()
.logoutSuccessUrl("/");
}
I want to be able to add an additional antMatcher for a new URL that is authenticated. I've been able to change the http object at runtime but this has no effect on the security.
