对于最新的稳定版本,请使用 Spring Security 6.3.1

对于最新的稳定版本,请使用 Spring Security 6.3.1

Spring Security 可以解析断言方元数据以生成实例,以及从实例发布信赖方元数据AssertingPartyDetailsRelyingPartyRegistration

解析元数据<saml2:IDPSSODescriptor>

可以使用 RelyingPartyRegistrations 分析断言方的元数据。

使用 OpenSAML 供应商支持时,生成的类型为 。 这意味着您可以通过执行以下操作来获取底层 OpenSAML XMLObject:AssertingPartyDetailsOpenSamlAssertingPartyDetails

  • Java

  • Kotlin

OpenSamlAssertingPartyDetails details = (OpenSamlAssertingPartyDetails)
        registration.getAssertingPartyDetails();
EntityDescriptor openSamlEntityDescriptor = details.getEntityDescriptor();
val details: OpenSamlAssertingPartyDetails =
        registration.getAssertingPartyDetails() as OpenSamlAssertingPartyDetails;
val openSamlEntityDescriptor: EntityDescriptor = details.getEntityDescriptor();

生成元数据<saml2:SPSSODescriptor>

可以通过将 添加到筛选器链来发布元数据终结点,如下所示:Saml2MetadataFilter

  • Java

  • Kotlin

DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver =
        new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(
        relyingPartyRegistrationResolver,
        new OpenSamlMetadataResolver());

http
    // ...
    .saml2Login(withDefaults())
    .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
val relyingPartyRegistrationResolver: Converter<HttpServletRequest, RelyingPartyRegistration> =
    DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository)
val filter = Saml2MetadataFilter(
    relyingPartyRegistrationResolver,
    OpenSamlMetadataResolver()
)

http {
    //...
    saml2Login { }
    addFilterBefore<Saml2WebSsoAuthenticationFilter>(filter)
}

可以使用此元数据终结点将信赖方注册到断言方。 这通常就像查找正确的表单字段以提供元数据终结点一样简单。

默认情况下,元数据终结点为 。 可以通过调用筛选器上的方法来更改此设置:/saml2/service-provider-metadata/{registrationId}setRequestMatcher

  • Java

  • Kotlin

filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"));
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata/{registrationId}", "GET"))

或者,如果已在构造函数中注册了自定义信赖方注册解析程序,则可以指定不带提示的路径,如下所示:registrationId

  • Java

  • Kotlin

filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata", "GET"));
filter.setRequestMatcher(AntPathRequestMatcher("/saml2/metadata", "GET"))

更改查找 A 的方式RelyingPartyRegistration

若要将自定义项应用于元数据终结点,可以直接在筛选器构造函数中提供它,如下所示:RelyingPartyRegistrationResolver

  • Java

RelyingPartyRegistrationResolver myRegistrationResolver = ...;
Saml2MetadataFilter metadata = new Saml2MetadataFilter(myRegistrationResolver, new OpenSamlMetadataResolver());

// ...

http.addFilterBefore(metadata, BasicAuthenticationFilter.class);
Kotlin
val myRegistrationResolver: RelyingPartyRegistrationResolver = ...;
val metadata = new Saml2MetadataFilter(myRegistrationResolver, OpenSamlMetadataResolver());

// ...

http.addFilterBefore(metadata, BasicAuthenticationFilter::class.java);

如果要应用 a 从 URI 中删除 ,则还必须更改筛选器中的 URI,如下所示:RelyingPartyRegistrationResolverregistrationId

  • Java

metadata.setRequestMatcher("/saml2/metadata")
Kotlin
metadata.setRequestMatcher("/saml2/metadata")