Spring Security
如果 Spring Security 在類別路徑中,則預設情況下會保護網路應用程式的安全。Spring Boot 依賴 Spring Security 的內容協商策略來決定是否使用 httpBasic 或 formLogin。若要將方法層級安全性新增至網路應用程式,您也可以使用您想要的設定新增 @EnableGlobalMethodSecurity。其他資訊可以在 Spring Security 參考指南 中找到。
預設的 UserDetailsService 具有單一使用者。使用者名稱為 user,密碼是隨機的,並在應用程式啟動時以 WARN 層級印出,如下列範例所示
Using generated security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
This generated password is for development use only. Your security configuration must be updated before running your application in production.如果您微調您的日誌設定,請確保 org.springframework.boot.autoconfigure.security 類別設定為記錄 WARN 層級訊息。否則,預設密碼將不會印出。 |
您可以透過提供 spring.security.user.name 和 spring.security.user.password 來變更使用者名稱和密碼。
在網路應用程式中預設取得的基本功能如下:
-
具有記憶體內儲存和單一使用者(具有產生密碼)的
UserDetailsService(或 WebFlux 應用程式的情況下為ReactiveUserDetailsService)Bean(請參閱SecurityProperties.User以取得使用者屬性)。 -
基於表單的登入或 HTTP Basic 安全性(取決於請求中的
Accept標頭)適用於整個應用程式(如果actuator在類別路徑中,則包括 actuator 端點)。 -
用於發布驗證事件的
DefaultAuthenticationEventPublisher。
您可以透過為其新增 Bean 來提供不同的 AuthenticationEventPublisher。
MVC 安全性
預設安全性設定在 SecurityAutoConfiguration 和 UserDetailsServiceAutoConfiguration 中實作。SecurityAutoConfiguration 匯入 SpringBootWebSecurityConfiguration 以進行網路安全性,而 UserDetailsServiceAutoConfiguration 設定驗證,這在非網路應用程式中也相關。
若要完全關閉預設網路應用程式安全性設定,包括 Actuator 安全性,或合併多個 Spring Security 元件(例如 OAuth2 Client 和 Resource Server),請新增 SecurityFilterChain 類型的 Bean(這樣做不會停用 UserDetailsService 設定)。若也要關閉 UserDetailsService 設定,請新增 UserDetailsService、AuthenticationProvider 或 AuthenticationManager 類型的 Bean。
如果類別路徑中存在下列任何 Spring Security 模組,則 UserDetailsService 的自動組態也會退回
-
spring-security-oauth2-client -
spring-security-oauth2-resource-server -
spring-security-saml2-service-provider
若要除了這些依賴項中的一或多個之外還使用 UserDetailsService,請定義您自己的 InMemoryUserDetailsManager Bean。
可以透過新增自訂 SecurityFilterChain Bean 來覆寫存取規則。Spring Boot 提供便利方法,可用於覆寫 actuator 端點和靜態資源的存取規則。EndpointRequest 可用於建立基於 management.endpoints.web.base-path 屬性的 RequestMatcher。PathRequest 可用於為常用位置中的資源建立 RequestMatcher。
WebFlux 安全性
類似於 Spring MVC 應用程式,您可以透過新增 spring-boot-starter-security 依賴項來保護您的 WebFlux 應用程式安全。預設安全性設定在 ReactiveSecurityAutoConfiguration 和 UserDetailsServiceAutoConfiguration 中實作。ReactiveSecurityAutoConfiguration 匯入 WebFluxSecurityConfiguration 以進行網路安全性,而 UserDetailsServiceAutoConfiguration 設定驗證,這在非網路應用程式中也相關。
若要完全關閉預設網路應用程式安全性設定,包括 Actuator 安全性,請新增 WebFilterChainProxy 類型的 Bean(這樣做不會停用 UserDetailsService 設定)。若也要關閉 UserDetailsService 設定,請新增 ReactiveUserDetailsService 或 ReactiveAuthenticationManager 類型的 Bean。
當類別路徑中存在下列任何 Spring Security 模組時,自動組態也會退回
-
spring-security-oauth2-client -
spring-security-oauth2-resource-server
若要除了這些依賴項中的一或多個之外還使用 ReactiveUserDetailsService,請定義您自己的 MapReactiveUserDetailsService Bean。
可以透過新增自訂 SecurityWebFilterChain Bean 來設定存取規則以及多個 Spring Security 元件(例如 OAuth 2 Client 和 Resource Server)的使用。Spring Boot 提供便利方法,可用於覆寫 actuator 端點和靜態資源的存取規則。EndpointRequest 可用於建立基於 management.endpoints.web.base-path 屬性的 ServerWebExchangeMatcher。
PathRequest 可用於為常用位置中的資源建立 ServerWebExchangeMatcher。
例如,您可以透過新增類似下列的內容來自訂您的安全性設定:
-
Java
-
Kotlin
import org.springframework.boot.autoconfigure.security.reactive.PathRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration(proxyBeanMethods = false)
public class MyWebFluxSecurityConfiguration {
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange((exchange) -> {
exchange.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll();
exchange.pathMatchers("/foo", "/bar").authenticated();
});
http.formLogin(withDefaults());
return http.build();
}
}import org.springframework.boot.autoconfigure.security.reactive.PathRequest
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.Customizer.withDefaults
import org.springframework.security.config.web.server.ServerHttpSecurity
import org.springframework.security.web.server.SecurityWebFilterChain
@Configuration(proxyBeanMethods = false)
class MyWebFluxSecurityConfiguration {
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http.authorizeExchange { spec ->
spec.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
spec.pathMatchers("/foo", "/bar").authenticated()
}
http.formLogin(withDefaults())
return http.build()
}
}OAuth2
OAuth2 是一個廣泛使用的授權框架,Spring 支援此框架。
客户端
如果您的類別路徑中有 spring-security-oauth2-client,您可以利用一些自動組態來設定 OAuth2/Open ID Connect 客户端。此設定使用 OAuth2ClientProperties 下的屬性。相同的屬性適用於 servlet 和反應式應用程式。
您可以在 spring.security.oauth2.client 前綴下註冊多個 OAuth2 客户端和提供者,如下列範例所示
-
Properties
-
YAML
spring.security.oauth2.client.registration.my-login-client.client-id=abcd
spring.security.oauth2.client.registration.my-login-client.client-secret=password
spring.security.oauth2.client.registration.my-login-client.client-name=Client for OpenID Connect
spring.security.oauth2.client.registration.my-login-client.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-login-client.scope=openid,profile,email,phone,address
spring.security.oauth2.client.registration.my-login-client.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}
spring.security.oauth2.client.registration.my-login-client.client-authentication-method=client_secret_basic
spring.security.oauth2.client.registration.my-login-client.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.my-client-1.client-id=abcd
spring.security.oauth2.client.registration.my-client-1.client-secret=password
spring.security.oauth2.client.registration.my-client-1.client-name=Client for user scope
spring.security.oauth2.client.registration.my-client-1.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-1.scope=user
spring.security.oauth2.client.registration.my-client-1.redirect-uri={baseUrl}/authorized/user
spring.security.oauth2.client.registration.my-client-1.client-authentication-method=client_secret_basic
spring.security.oauth2.client.registration.my-client-1.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.my-client-2.client-id=abcd
spring.security.oauth2.client.registration.my-client-2.client-secret=password
spring.security.oauth2.client.registration.my-client-2.client-name=Client for email scope
spring.security.oauth2.client.registration.my-client-2.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-2.scope=email
spring.security.oauth2.client.registration.my-client-2.redirect-uri={baseUrl}/authorized/email
spring.security.oauth2.client.registration.my-client-2.client-authentication-method=client_secret_basic
spring.security.oauth2.client.registration.my-client-2.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=https://my-auth-server.com/oauth2/authorize
spring.security.oauth2.client.provider.my-oauth-provider.token-uri=https://my-auth-server.com/oauth2/token
spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=https://my-auth-server.com/userinfo
spring.security.oauth2.client.provider.my-oauth-provider.user-info-authentication-method=header
spring.security.oauth2.client.provider.my-oauth-provider.jwk-set-uri=https://my-auth-server.com/oauth2/jwks
spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=namespring:
security:
oauth2:
client:
registration:
my-login-client:
client-id: "abcd"
client-secret: "password"
client-name: "Client for OpenID Connect"
provider: "my-oauth-provider"
scope: "openid,profile,email,phone,address"
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
client-authentication-method: "client_secret_basic"
authorization-grant-type: "authorization_code"
my-client-1:
client-id: "abcd"
client-secret: "password"
client-name: "Client for user scope"
provider: "my-oauth-provider"
scope: "user"
redirect-uri: "{baseUrl}/authorized/user"
client-authentication-method: "client_secret_basic"
authorization-grant-type: "authorization_code"
my-client-2:
client-id: "abcd"
client-secret: "password"
client-name: "Client for email scope"
provider: "my-oauth-provider"
scope: "email"
redirect-uri: "{baseUrl}/authorized/email"
client-authentication-method: "client_secret_basic"
authorization-grant-type: "authorization_code"
provider:
my-oauth-provider:
authorization-uri: "https://my-auth-server.com/oauth2/authorize"
token-uri: "https://my-auth-server.com/oauth2/token"
user-info-uri: "https://my-auth-server.com/userinfo"
user-info-authentication-method: "header"
jwk-set-uri: "https://my-auth-server.com/oauth2/jwks"
user-name-attribute: "name"對於支援 OpenID Connect 探索 的 OpenID Connect 提供者,可以進一步簡化設定。提供者需要使用 issuer-uri 進行設定,issuer-uri 是其斷言為發行者識別碼的 URI。例如,如果提供的 issuer-uri 是 "https://example.com",則將對 "https://example.com/.well-known/openid-configuration" 發出「OpenID 提供者設定請求」。預期結果將是「OpenID 提供者設定回應」。下列範例顯示如何使用 issuer-uri 設定 OpenID Connect 提供者
-
Properties
-
YAML
spring.security.oauth2.client.provider.oidc-provider.issuer-uri=https://dev-123456.oktapreview.com/oauth2/default/spring:
security:
oauth2:
client:
provider:
oidc-provider:
issuer-uri: "https://dev-123456.oktapreview.com/oauth2/default/"預設情況下,Spring Security 的 OAuth2LoginAuthenticationFilter 僅處理符合 `/login/oauth2/code/*` 的 URL。如果您想要自訂 redirect-uri 以使用不同的模式,您需要提供設定來處理該自訂模式。例如,對於 servlet 應用程式,您可以新增類似下列內容的您自己的 SecurityFilterChain
-
Java
-
Kotlin
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
public class MyOAuthClientConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated()
)
.oauth2Login((login) -> login
.redirectionEndpoint((endpoint) -> endpoint
.baseUri("/login/oauth2/callback/*")
)
);
return http.build();
}
}import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.invoke
import org.springframework.security.web.SecurityFilterChain
@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
open class MyOAuthClientConfiguration {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2Login {
redirectionEndpoint {
baseUri = "/login/oauth2/callback/*"
}
}
}
return http.build()
}
}Spring Boot 自動組態 InMemoryOAuth2AuthorizedClientService,Spring Security 使用此服務來管理客户端註冊。InMemoryOAuth2AuthorizedClientService 的功能有限,我們建議僅在開發環境中使用它。對於生產環境,請考慮使用 JdbcOAuth2AuthorizedClientService 或建立您自己的 OAuth2AuthorizedClientService 實作。 |
常見提供者的 OAuth2 客户端註冊
對於常見的 OAuth2 和 OpenID 提供者,包括 Google、Github、Facebook 和 Okta,我們提供一組提供者預設值(分別為 google、github、facebook 和 okta)。
如果您不需要自訂這些提供者,您可以將 provider 屬性設定為您需要推斷預設值的提供者。此外,如果客户端註冊的金鑰與預設支援的提供者相符,Spring Boot 也會推斷該提供者。
換句話說,下列範例中的兩個設定都使用 Google 提供者
-
Properties
-
YAML
spring.security.oauth2.client.registration.my-client.client-id=abcd
spring.security.oauth2.client.registration.my-client.client-secret=password
spring.security.oauth2.client.registration.my-client.provider=google
spring.security.oauth2.client.registration.google.client-id=abcd
spring.security.oauth2.client.registration.google.client-secret=passwordspring:
security:
oauth2:
client:
registration:
my-client:
client-id: "abcd"
client-secret: "password"
provider: "google"
google:
client-id: "abcd"
client-secret: "password"資源伺服器
如果您的類別路徑中有 spring-security-oauth2-resource-server,Spring Boot 可以設定 OAuth2 資源伺服器。對於 JWT 設定,需要指定 JWK Set URI 或 OIDC 發行者 URI,如下列範例所示
-
Properties
-
YAML
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://example.com/oauth2/default/v1/keysspring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: "https://example.com/oauth2/default/v1/keys"-
Properties
-
YAML
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-123456.oktapreview.com/oauth2/default/spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: "https://dev-123456.oktapreview.com/oauth2/default/"如果授權伺服器不支援 JWK Set URI,您可以使用用於驗證 JWT 簽名的公鑰來設定資源伺服器。這可以使用 spring.security.oauth2.resourceserver.jwt.public-key-location 屬性來完成,其中該值需要指向包含 PEM 編碼 x509 格式公鑰的檔案。 |
spring.security.oauth2.resourceserver.jwt.audiences 屬性可用於指定 JWT 中 aud 宣告的預期值。例如,若要要求 JWT 包含 aud 宣告,且值為 my-audience
-
Properties
-
YAML
spring.security.oauth2.resourceserver.jwt.audiences[0]=my-audiencespring:
security:
oauth2:
resourceserver:
jwt:
audiences:
- "my-audience"相同的屬性適用於 servlet 和反應式應用程式。或者,您可以為 servlet 應用程式定義您自己的 JwtDecoder Bean,或為反應式應用程式定義 ReactiveJwtDecoder。
在使用不透明權杖而非 JWT 的情況下,您可以設定下列屬性以透過內省來驗證權杖
-
Properties
-
YAML
spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=https://example.com/check-token
spring.security.oauth2.resourceserver.opaquetoken.client-id=my-client-id
spring.security.oauth2.resourceserver.opaquetoken.client-secret=my-client-secretspring:
security:
oauth2:
resourceserver:
opaquetoken:
introspection-uri: "https://example.com/check-token"
client-id: "my-client-id"
client-secret: "my-client-secret"同樣地,相同的屬性適用於 servlet 和反應式應用程式。或者,您可以為 servlet 應用程式定義您自己的 OpaqueTokenIntrospector Bean,或為反應式應用程式定義 ReactiveOpaqueTokenIntrospector。
授權伺服器
如果您的類別路徑中有 spring-security-oauth2-authorization-server,您可以利用一些自動組態來設定基於 Servlet 的 OAuth2 授權伺服器。
您可以在 spring.security.oauth2.authorizationserver.client 前綴下註冊多個 OAuth2 客户端,如下列範例所示
-
Properties
-
YAML
spring.security.oauth2.authorizationserver.client.my-client-1.registration.client-id=abcd
spring.security.oauth2.authorizationserver.client.my-client-1.registration.client-secret={noop}secret1
spring.security.oauth2.authorizationserver.client.my-client-1.registration.client-authentication-methods[0]=client_secret_basic
spring.security.oauth2.authorizationserver.client.my-client-1.registration.authorization-grant-types[0]=authorization_code
spring.security.oauth2.authorizationserver.client.my-client-1.registration.authorization-grant-types[1]=refresh_token
spring.security.oauth2.authorizationserver.client.my-client-1.registration.redirect-uris[0]=https://my-client-1.com/login/oauth2/code/abcd
spring.security.oauth2.authorizationserver.client.my-client-1.registration.redirect-uris[1]=https://my-client-1.com/authorized
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[0]=openid
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[1]=profile
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[2]=email
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[3]=phone
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[4]=address
spring.security.oauth2.authorizationserver.client.my-client-1.require-authorization-consent=true
spring.security.oauth2.authorizationserver.client.my-client-2.registration.client-id=efgh
spring.security.oauth2.authorizationserver.client.my-client-2.registration.client-secret={noop}secret2
spring.security.oauth2.authorizationserver.client.my-client-2.registration.client-authentication-methods[0]=client_secret_jwt
spring.security.oauth2.authorizationserver.client.my-client-2.registration.authorization-grant-types[0]=client_credentials
spring.security.oauth2.authorizationserver.client.my-client-2.registration.scopes[0]=user.read
spring.security.oauth2.authorizationserver.client.my-client-2.registration.scopes[1]=user.write
spring.security.oauth2.authorizationserver.client.my-client-2.jwk-set-uri=https://my-client-2.com/jwks
spring.security.oauth2.authorizationserver.client.my-client-2.token-endpoint-authentication-signing-algorithm=RS256spring:
security:
oauth2:
authorizationserver:
client:
my-client-1:
registration:
client-id: "abcd"
client-secret: "{noop}secret1"
client-authentication-methods:
- "client_secret_basic"
authorization-grant-types:
- "authorization_code"
- "refresh_token"
redirect-uris:
- "https://my-client-1.com/login/oauth2/code/abcd"
- "https://my-client-1.com/authorized"
scopes:
- "openid"
- "profile"
- "email"
- "phone"
- "address"
require-authorization-consent: true
my-client-2:
registration:
client-id: "efgh"
client-secret: "{noop}secret2"
client-authentication-methods:
- "client_secret_jwt"
authorization-grant-types:
- "client_credentials"
scopes:
- "user.read"
- "user.write"
jwk-set-uri: "https://my-client-2.com/jwks"
token-endpoint-authentication-signing-algorithm: "RS256"client-secret 屬性必須採用可與已設定的 PasswordEncoder 相符的格式。PasswordEncoder 的預設實例是透過 PasswordEncoderFactories.createDelegatingPasswordEncoder() 建立的。 |
Spring Boot 為 Spring Authorization Server 提供的自動組態旨在讓您快速入門。大多數應用程式將需要自訂,並希望定義數個 Bean 來覆寫自動組態。
可以將下列元件定義為 Bean,以覆寫 Spring Authorization Server 特有的自動組態
-
RegisteredClientRepository -
AuthorizationServerSettings -
SecurityFilterChain -
com.nimbusds.jose.jwk.source.JWKSource<com.nimbusds.jose.proc.SecurityContext> -
JwtDecoder
Spring Boot 自動組態 InMemoryRegisteredClientRepository,Spring Authorization Server 使用此服務來管理已註冊的客户端。InMemoryRegisteredClientRepository 的功能有限,我們建議僅在開發環境中使用它。對於生產環境,請考慮使用 JdbcRegisteredClientRepository 或建立您自己的 RegisteredClientRepository 實作。 |
其他資訊可以在 Spring Authorization Server 參考指南的「開始使用」章節中找到。
SAML 2.0
依賴方
如果您的類別路徑中有 spring-security-saml2-service-provider,您可以利用一些自動組態來設定 SAML 2.0 依賴方。此設定使用 Saml2RelyingPartyProperties 下的屬性。
依賴方註冊代表身分提供者 (IDP) 和服務提供者 (SP) 之間的配對設定。您可以在 spring.security.saml2.relyingparty 前綴下註冊多個依賴方,如下列範例所示
-
Properties
-
YAML
spring.security.saml2.relyingparty.registration.my-relying-party1.signing.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party1.signing.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party1.decryption.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party1.decryption.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party1.singlelogout.url=https://myapp/logout/saml2/slo
spring.security.saml2.relyingparty.registration.my-relying-party1.singlelogout.response-url=https://remoteidp2.slo.url
spring.security.saml2.relyingparty.registration.my-relying-party1.singlelogout.binding=POST
spring.security.saml2.relyingparty.registration.my-relying-party1.assertingparty.verification.credentials[0].certificate-location=path-to-verification-cert
spring.security.saml2.relyingparty.registration.my-relying-party1.assertingparty.entity-id=remote-idp-entity-id1
spring.security.saml2.relyingparty.registration.my-relying-party1.assertingparty.sso-url=https://remoteidp1.sso.url
spring.security.saml2.relyingparty.registration.my-relying-party2.signing.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party2.signing.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party2.decryption.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party2.decryption.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.verification.credentials[0].certificate-location=path-to-other-verification-cert
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.entity-id=remote-idp-entity-id2
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.sso-url=https://remoteidp2.sso.url
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.singlelogout.url=https://remoteidp2.slo.url
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.singlelogout.response-url=https://myapp/logout/saml2/slo
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.singlelogout.binding=POSTspring:
security:
saml2:
relyingparty:
registration:
my-relying-party1:
signing:
credentials:
- private-key-location: "path-to-private-key"
certificate-location: "path-to-certificate"
decryption:
credentials:
- private-key-location: "path-to-private-key"
certificate-location: "path-to-certificate"
singlelogout:
url: "https://myapp/logout/saml2/slo"
response-url: "https://remoteidp2.slo.url"
binding: "POST"
assertingparty:
verification:
credentials:
- certificate-location: "path-to-verification-cert"
entity-id: "remote-idp-entity-id1"
sso-url: "https://remoteidp1.sso.url"
my-relying-party2:
signing:
credentials:
- private-key-location: "path-to-private-key"
certificate-location: "path-to-certificate"
decryption:
credentials:
- private-key-location: "path-to-private-key"
certificate-location: "path-to-certificate"
assertingparty:
verification:
credentials:
- certificate-location: "path-to-other-verification-cert"
entity-id: "remote-idp-entity-id2"
sso-url: "https://remoteidp2.sso.url"
singlelogout:
url: "https://remoteidp2.slo.url"
response-url: "https://myapp/logout/saml2/slo"
binding: "POST"對於 SAML2 登出,預設情況下,Spring Security 的 Saml2LogoutRequestFilter 和 Saml2LogoutResponseFilter 僅處理符合 `/logout/saml2/slo` 的 URL。如果您想要自訂 AP 起始的登出請求傳送到的 url 或 AP 將登出回應傳送到的 response-url,以使用不同的模式,您需要提供設定來處理該自訂模式。例如,對於 servlet 應用程式,您可以新增類似下列內容的您自己的 SecurityFilterChain
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration(proxyBeanMethods = false)
public class MySamlRelyingPartyConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
http.saml2Login(withDefaults());
http.saml2Logout((saml2) -> saml2.logoutRequest((request) -> request.logoutUrl("/SLOService.saml2"))
.logoutResponse((response) -> response.logoutUrl("/SLOService.saml2")));
return http.build();
}
}
