I have a Spring Boot - Theme Leaf - Shiro Application
I Have seen examples for following
Spring boot - spring-security - pac4j-saml sso https://github.com/pac4j/spring-security-pac4j-boot-demo
Shiro web application - buji-pac4j https://github.com/pac4j/buji-pac4j-demo
What i want to do is to have best of the both worlds. I want to use Shiro for RBAC, and use buji-pac4j for authentication, to authenticate via SAML SSO.
I dont find any documentation to achieve the same. Following is what i have done, please guide in my setting this up properly.
//in WebConfig .java i have following
public class WebConfig extends WebMvcConfigurerAdapter {
@Bean("samlConfig")
public Config config() {
final SAML2Configuration cfg = new SAML2Configuration ("resource:samlKeystore.jks",
"pac4j-demo-passwd",
"pac4j-demo-passwd",
"resource:metadata-okta.xml");
cfg.setMaximumAuthenticationLifetime(3600);
cfg.setServiceProviderEntityId("https://localhost/callback?client_name=SAML2Client");
cfg.setServiceProviderMetadataPath("sp-metadata.xml");
cfg.setAuthnRequestBindingType(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
final SAML2Client saml2Client = new SAML2Client(cfg);
final Clients clients = new Clients("https://localhost/callback", saml2Client);
final Config config = new Config(clients);
config.addAuthorizer("custom", new CustomAuthorizer()); // this same as in example buji-pac4j-demo
return config;
}
}
//In WebSecurityConfig.java i have following
public class WebSecurityConfig {
@Autowired
private Config samlConfig;
@Bean(name = "shiroFilter")
public AbstractShiroFilter shiroFilter() throws Exception {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
HashMap<String, String> filterChainDefinitionMapping = new HashMap<String,String>();
filterChainDefinitionMapping.put("/*", "anon");
filterChainDefinitionMapping.put("/login", "anon");
filterChainDefinitionMapping.put("/forgotPwd", "anon");
filterChainDefinitionMapping.put("/resetPwd", "anon");
filterChainDefinitionMapping.put("/logout", "logout");
filterChainDefinitionMapping.put("/**", "authc,ssl");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMapping);
shiroFilterFactoryBean.setSecurityManager(securityManager());
final SecurityFilter bujiFilter = new SecurityFilter();
bujiFilter.setConfig(samlConfig);
bujiFilter.setClients("Saml2Client");
HashMap<String, Filter> filters = new HashMap<>();
filters.put("anon", new AnonymousFilter());
filters.put("authc", bujiFilter);
LogoutFilter logoutFilter = new LogoutFilter();
logoutFilter.setRedirectUrl("/logout");
filters.put("logout", logoutFilter);
filters.put("roles", new RolesAuthorizationFilter());
filters.put("user", new UserFilter());
shiroFilterFactoryBean.setFilters(filters);
return (AbstractShiroFilter) shiroFilterFactoryBean.getObject();
}
/* i was previously using Shiro Authentication, hence the below code is there , now i want to do SAML SSO*/
@Bean(name = "customRealm")
@DependsOn("lifecycleBeanPostProcessor")
public CustomRealm customRealm() {
CustomRealm realm = new CustomRealm();
HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();
credentialsMatcher.setHashAlgorithmName(Sha256Hash.ALGORITHM_NAME);
credentialsMatcher.setStoredCredentialsHexEncoded(false);
credentialsMatcher.setHashSalted(true);
realm.setCredentialsMatcher(credentialsMatcher);
realm.init();
return realm;
}
@Bean(name = "securityManager")
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(customRealm());
return securityManager;
}
}
Now when i access any protected resource for e.g https://localhost/protected/home instead of taking me to the IDP login (okta), like in the example of https://github.com/pac4j/buji-pac4j-demo ; the app redirects to default Shiro Auth url https://localhost/login.jsp
What am i missing here,is my config in the shiroFilter wrong? if so what is the correct way ?
