Spring Security
如果类路径中包含Spring Security,则Web应用程序默认情况下是安全的。Spring Boot依靠Spring Security的内容协商策略来确定是使用httpBasic还是formLogin。要向Web应用程序添加方法级安全性,您还可以添加@EnableGlobalMethodSecurity以及所需的设置。更多信息可以在Spring Security参考指南中找到。
默认的UserDetailsService只有一个用户。用户名为user,密码是随机生成的,并在应用程序启动时以WARN级别打印,如下例所示
Using generated security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
This generated password is for development use only. Your security configuration must be updated before running your application in production.如果您微调日志配置,请确保将org.springframework.boot.autoconfigure.security类别设置为记录WARN级别消息。否则,默认密码不会被打印。 |
您可以通过提供spring.security.user.name和spring.security.user.password来更改用户名和密码。
在Web应用程序中默认获得的基本功能包括:
-
一个带有内存存储和单个用户的
UserDetailsService(或WebFlux应用程序中的ReactiveUserDetailsService),并带有生成的密码(有关用户的属性,请参阅SecurityProperties.User)。 -
基于表单的登录或HTTP基本安全性(取决于请求中的
Accept标头)适用于整个应用程序(如果类路径中存在Actuator,则包括Actuator端点)。 -
一个用于发布身份验证事件的
DefaultAuthenticationEventPublisher。
您可以通过添加一个bean来提供不同的AuthenticationEventPublisher。
MVC 安全性
默认安全配置在SecurityAutoConfiguration和UserDetailsServiceAutoConfiguration中实现。SecurityAutoConfiguration为Web安全导入SpringBootWebSecurityConfiguration,而UserDetailsServiceAutoConfiguration配置身份验证,这在非Web应用程序中也很重要。
要完全关闭默认的Web应用程序安全配置(包括Actuator安全性),或组合多个Spring Security组件(如OAuth2客户端和资源服务器),请添加类型为SecurityFilterChain的bean(这样做不会禁用UserDetailsService配置)。要同时关闭UserDetailsService配置,请添加类型为UserDetailsService、AuthenticationProvider或AuthenticationManager的bean。
如果classpath中存在以下任何Spring Security模块,则UserDetailsService的自动配置将被禁用
-
spring-security-oauth2-client -
spring-security-oauth2-resource-server -
spring-security-saml2-service-provider
要在同时依赖一个或多个这些依赖项的情况下使用UserDetailsService,请定义您自己的InMemoryUserDetailsManager bean。
可以通过添加自定义的SecurityFilterChain bean来覆盖访问规则。Spring Boot提供了方便的方法,可用于覆盖执行器端点和静态资源的访问规则。EndpointRequest可用于创建一个基于management.endpoints.web.base-path属性的RequestMatcher。PathRequest可用于为常用位置中的资源创建RequestMatcher。
WebFlux 安全
与Spring MVC应用程序类似,您可以通过添加spring-boot-starter-security依赖项来保护您的WebFlux应用程序。默认安全配置在ReactiveSecurityAutoConfiguration和UserDetailsServiceAutoConfiguration中实现。ReactiveSecurityAutoConfiguration为Web安全导入WebFluxSecurityConfiguration,而UserDetailsServiceAutoConfiguration配置身份验证,这在非Web应用程序中也适用。
要完全关闭默认的Web应用程序安全配置(包括Actuator安全),请添加类型为WebFilterChainProxy的bean(这样做不会禁用UserDetailsService配置)。要同时关闭UserDetailsService配置,请添加类型为ReactiveUserDetailsService或ReactiveAuthenticationManager的bean。
当classpath中存在以下任何Spring Security模块时,自动配置也将被禁用
-
spring-security-oauth2-client -
spring-security-oauth2-resource-server
要在同时依赖一个或多个这些依赖项的情况下使用ReactiveUserDetailsService,请定义您自己的MapReactiveUserDetailsService bean。
可以通过添加自定义的SecurityWebFilterChain bean来配置访问规则以及OAuth 2客户端和资源服务器等多个Spring Security组件的使用。Spring Boot提供了方便的方法,可用于覆盖执行器端点和静态资源的访问规则。EndpointRequest可用于创建一个基于management.endpoints.web.base-path属性的ServerWebExchangeMatcher。
PathRequest可用于为常用位置中的资源创建ServerWebExchangeMatcher。
例如,您可以通过添加如下内容来自定义安全配置
-
Java
-
Kotlin
import org.springframework.boot.autoconfigure.security.reactive.PathRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration(proxyBeanMethods = false)
public class MyWebFluxSecurityConfiguration {
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange((exchange) -> {
exchange.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll();
exchange.pathMatchers("/foo", "/bar").authenticated();
});
http.formLogin(withDefaults());
return http.build();
}
}import org.springframework.boot.autoconfigure.security.reactive.PathRequest
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.Customizer.withDefaults
import org.springframework.security.config.web.server.ServerHttpSecurity
import org.springframework.security.web.server.SecurityWebFilterChain
@Configuration(proxyBeanMethods = false)
class MyWebFluxSecurityConfiguration {
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http.authorizeExchange { spec ->
spec.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
spec.pathMatchers("/foo", "/bar").authenticated()
}
http.formLogin(withDefaults())
return http.build()
}
}OAuth2
OAuth2 是一个广泛使用的授权框架,Spring 支持该框架。
客户端
如果您的classpath中包含spring-security-oauth2-client,您可以利用一些自动配置来设置OAuth2/Open ID Connect客户端。此配置使用OAuth2ClientProperties下的属性。相同的属性适用于servlet和响应式应用程序。
您可以使用spring.security.oauth2.client前缀注册多个OAuth2客户端和提供程序,如下例所示
-
属性
-
YAML
spring.security.oauth2.client.registration.my-login-client.client-id=abcd
spring.security.oauth2.client.registration.my-login-client.client-secret=password
spring.security.oauth2.client.registration.my-login-client.client-name=Client for OpenID Connect
spring.security.oauth2.client.registration.my-login-client.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-login-client.scope=openid,profile,email,phone,address
spring.security.oauth2.client.registration.my-login-client.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}
spring.security.oauth2.client.registration.my-login-client.client-authentication-method=client_secret_basic
spring.security.oauth2.client.registration.my-login-client.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.my-client-1.client-id=abcd
spring.security.oauth2.client.registration.my-client-1.client-secret=password
spring.security.oauth2.client.registration.my-client-1.client-name=Client for user scope
spring.security.oauth2.client.registration.my-client-1.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-1.scope=user
spring.security.oauth2.client.registration.my-client-1.redirect-uri={baseUrl}/authorized/user
spring.security.oauth2.client.registration.my-client-1.client-authentication-method=client_secret_basic
spring.security.oauth2.client.registration.my-client-1.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.my-client-2.client-id=abcd
spring.security.oauth2.client.registration.my-client-2.client-secret=password
spring.security.oauth2.client.registration.my-client-2.client-name=Client for email scope
spring.security.oauth2.client.registration.my-client-2.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-2.scope=email
spring.security.oauth2.client.registration.my-client-2.redirect-uri={baseUrl}/authorized/email
spring.security.oauth2.client.registration.my-client-2.client-authentication-method=client_secret_basic
spring.security.oauth2.client.registration.my-client-2.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=https://my-auth-server.com/oauth2/authorize
spring.security.oauth2.client.provider.my-oauth-provider.token-uri=https://my-auth-server.com/oauth2/token
spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=https://my-auth-server.com/userinfo
spring.security.oauth2.client.provider.my-oauth-provider.user-info-authentication-method=header
spring.security.oauth2.client.provider.my-oauth-provider.jwk-set-uri=https://my-auth-server.com/oauth2/jwks
spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=namespring:
security:
oauth2:
client:
registration:
my-login-client:
client-id: "abcd"
client-secret: "password"
client-name: "Client for OpenID Connect"
provider: "my-oauth-provider"
scope: "openid,profile,email,phone,address"
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
client-authentication-method: "client_secret_basic"
authorization-grant-type: "authorization_code"
my-client-1:
client-id: "abcd"
client-secret: "password"
client-name: "Client for user scope"
provider: "my-oauth-provider"
scope: "user"
redirect-uri: "{baseUrl}/authorized/user"
client-authentication-method: "client_secret_basic"
authorization-grant-type: "authorization_code"
my-client-2:
client-id: "abcd"
client-secret: "password"
client-name: "Client for email scope"
provider: "my-oauth-provider"
scope: "email"
redirect-uri: "{baseUrl}/authorized/email"
client-authentication-method: "client_secret_basic"
authorization-grant-type: "authorization_code"
provider:
my-oauth-provider:
authorization-uri: "https://my-auth-server.com/oauth2/authorize"
token-uri: "https://my-auth-server.com/oauth2/token"
user-info-uri: "https://my-auth-server.com/userinfo"
user-info-authentication-method: "header"
jwk-set-uri: "https://my-auth-server.com/oauth2/jwks"
user-name-attribute: "name"对于支持OpenID Connect发现的OpenID Connect提供程序,配置可以进一步简化。需要使用其断言为其发行者标识符的URI配置提供程序的issuer-uri。例如,如果提供的issuer-uri是“https://example.com”,则将向“https://example.com/.well-known/openid-configuration”发出“OpenID提供程序配置请求”。预期结果是“OpenID提供程序配置响应”。以下示例显示如何使用issuer-uri配置OpenID Connect提供程序
-
属性
-
YAML
spring.security.oauth2.client.provider.oidc-provider.issuer-uri=https://dev-123456.oktapreview.com/oauth2/default/spring:
security:
oauth2:
client:
provider:
oidc-provider:
issuer-uri: "https://dev-123456.oktapreview.com/oauth2/default/"默认情况下,Spring Security的OAuth2LoginAuthenticationFilter仅处理与/login/oauth2/code/*匹配的URL。如果您想自定义redirect-uri以使用不同的模式,则需要提供配置来处理该自定义模式。例如,对于servlet应用程序,您可以添加自己的SecurityFilterChain,类似于以下内容
-
Java
-
Kotlin
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
public class MyOAuthClientConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((requests) -> requests
.anyRequest().authenticated()
)
.oauth2Login((login) -> login
.redirectionEndpoint((endpoint) -> endpoint
.baseUri("/login/oauth2/callback/*")
)
);
return http.build();
}
}import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.invoke
import org.springframework.security.web.SecurityFilterChain
@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
open class MyOAuthClientConfiguration {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2Login {
redirectionEndpoint {
baseUri = "/login/oauth2/callback/*"
}
}
}
return http.build()
}
}Spring Boot自动配置一个InMemoryOAuth2AuthorizedClientService,Spring Security使用它来管理客户端注册。InMemoryOAuth2AuthorizedClientService功能有限,我们建议仅在开发环境中使用它。对于生产环境,请考虑使用JdbcOAuth2AuthorizedClientService或创建您自己的OAuth2AuthorizedClientService实现。 |
常用提供程序的OAuth2客户端注册
对于常见的OAuth2和OpenID提供程序(包括Google、Github、Facebook和Okta),我们提供了一组提供程序默认值(分别为google、github、facebook和okta)。
如果您不需要自定义这些提供程序,您可以将provider属性设置为需要从中推断默认值的属性。此外,如果客户端注册的键与支持的默认提供程序匹配,Spring Boot也会推断出来。
换句话说,以下示例中的两个配置都使用Google提供程序
-
属性
-
YAML
spring.security.oauth2.client.registration.my-client.client-id=abcd
spring.security.oauth2.client.registration.my-client.client-secret=password
spring.security.oauth2.client.registration.my-client.provider=google
spring.security.oauth2.client.registration.google.client-id=abcd
spring.security.oauth2.client.registration.google.client-secret=passwordspring:
security:
oauth2:
client:
registration:
my-client:
client-id: "abcd"
client-secret: "password"
provider: "google"
google:
client-id: "abcd"
client-secret: "password"资源服务器
如果您的classpath中包含spring-security-oauth2-resource-server,则Spring Boot可以设置OAuth2资源服务器。对于JWT配置,需要指定JWK Set URI或OIDC Issuer URI,如下例所示
-
属性
-
YAML
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://example.com/oauth2/default/v1/keysspring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: "https://example.com/oauth2/default/v1/keys"-
属性
-
YAML
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-123456.oktapreview.com/oauth2/default/spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: "https://dev-123456.oktapreview.com/oauth2/default/"如果授权服务器不支持JWK Set URI,您可以使用用于验证JWT签名的公钥配置资源服务器。这可以通过spring.security.oauth2.resourceserver.jwt.public-key-location属性完成,其中该值需要指向包含PEM编码x509格式公钥的文件。 |
spring.security.oauth2.resourceserver.jwt.audiences属性可用于指定JWT中aud声明的预期值。例如,要求JWT包含值为my-audience的aud声明
-
属性
-
YAML
spring.security.oauth2.resourceserver.jwt.audiences[0]=my-audiencespring:
security:
oauth2:
resourceserver:
jwt:
audiences:
- "my-audience"相同的属性适用于servlet和响应式应用程序。或者,您可以为servlet应用程序定义您自己的JwtDecoder bean,或为响应式应用程序定义ReactiveJwtDecoder。
在使用不透明令牌而不是JWT的情况下,您可以配置以下属性以通过内省来验证令牌
-
属性
-
YAML
spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=https://example.com/check-token
spring.security.oauth2.resourceserver.opaquetoken.client-id=my-client-id
spring.security.oauth2.resourceserver.opaquetoken.client-secret=my-client-secretspring:
security:
oauth2:
resourceserver:
opaquetoken:
introspection-uri: "https://example.com/check-token"
client-id: "my-client-id"
client-secret: "my-client-secret"同样,相同的属性适用于servlet和响应式应用程序。或者,您可以为servlet应用程序定义您自己的OpaqueTokenIntrospector bean,或为响应式应用程序定义ReactiveOpaqueTokenIntrospector。
授权服务器
如果您的classpath中包含spring-security-oauth2-authorization-server,您可以利用一些自动配置来设置基于Servlet的OAuth2授权服务器。
您可以使用spring.security.oauth2.authorizationserver.client前缀注册多个OAuth2客户端,如下例所示
-
属性
-
YAML
spring.security.oauth2.authorizationserver.client.my-client-1.registration.client-id=abcd
spring.security.oauth2.authorizationserver.client.my-client-1.registration.client-secret={noop}secret1
spring.security.oauth2.authorizationserver.client.my-client-1.registration.client-authentication-methods[0]=client_secret_basic
spring.security.oauth2.authorizationserver.client.my-client-1.registration.authorization-grant-types[0]=authorization_code
spring.security.oauth2.authorizationserver.client.my-client-1.registration.authorization-grant-types[1]=refresh_token
spring.security.oauth2.authorizationserver.client.my-client-1.registration.redirect-uris[0]=https://my-client-1.com/login/oauth2/code/abcd
spring.security.oauth2.authorizationserver.client.my-client-1.registration.redirect-uris[1]=https://my-client-1.com/authorized
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[0]=openid
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[1]=profile
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[2]=email
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[3]=phone
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[4]=address
spring.security.oauth2.authorizationserver.client.my-client-1.require-authorization-consent=true
spring.security.oauth2.authorizationserver.client.my-client-2.registration.client-id=efgh
spring.security.oauth2.authorizationserver.client.my-client-2.registration.client-secret={noop}secret2
spring.security.oauth2.authorizationserver.client.my-client-2.registration.client-authentication-methods[0]=client_secret_jwt
spring.security.oauth2.authorizationserver.client.my-client-2.registration.authorization-grant-types[0]=client_credentials
spring.security.oauth2.authorizationserver.client.my-client-2.registration.scopes[0]=user.read
spring.security.oauth2.authorizationserver.client.my-client-2.registration.scopes[1]=user.write
spring.security.oauth2.authorizationserver.client.my-client-2.jwk-set-uri=https://my-client-2.com/jwks
spring.security.oauth2.authorizationserver.client.my-client-2.token-endpoint-authentication-signing-algorithm=RS256spring:
security:
oauth2:
authorizationserver:
client:
my-client-1:
registration:
client-id: "abcd"
client-secret: "{noop}secret1"
client-authentication-methods:
- "client_secret_basic"
authorization-grant-types:
- "authorization_code"
- "refresh_token"
redirect-uris:
- "https://my-client-1.com/login/oauth2/code/abcd"
- "https://my-client-1.com/authorized"
scopes:
- "openid"
- "profile"
- "email"
- "phone"
- "address"
require-authorization-consent: true
my-client-2:
registration:
client-id: "efgh"
client-secret: "{noop}secret2"
client-authentication-methods:
- "client_secret_jwt"
authorization-grant-types:
- "client_credentials"
scopes:
- "user.read"
- "user.write"
jwk-set-uri: "https://my-client-2.com/jwks"
token-endpoint-authentication-signing-algorithm: "RS256"client-secret属性必须采用配置的PasswordEncoder可以匹配的格式。PasswordEncoder的默认实例是通过PasswordEncoderFactories.createDelegatingPasswordEncoder()创建的。 |
Spring Boot为Spring Authorization Server提供的自动配置旨在快速入门。大多数应用程序都需要自定义,并且需要定义多个bean来覆盖自动配置。
可以定义以下组件作为bean来覆盖特定于Spring Authorization Server的自动配置
-
RegisteredClientRepository -
AuthorizationServerSettings -
SecurityFilterChain -
com.nimbusds.jose.jwk.source.JWKSource<com.nimbusds.jose.proc.SecurityContext> -
JwtDecoder
Spring Boot自动配置一个InMemoryRegisteredClientRepository,Spring Authorization Server使用它来管理已注册的客户端。InMemoryRegisteredClientRepository功能有限,我们建议仅在开发环境中使用它。对于生产环境,请考虑使用JdbcRegisteredClientRepository或创建您自己的RegisteredClientRepository实现。 |
更多信息可在入门章节中找到,该章节位于Spring Authorization Server参考指南中。
SAML 2.0
依赖方
如果您的classpath中包含spring-security-saml2-service-provider,您可以利用一些自动配置来设置SAML 2.0依赖方。此配置使用Saml2RelyingPartyProperties下的属性。
依赖方注册表示身份提供程序IDP和服务提供程序SP之间的配对配置。您可以使用spring.security.saml2.relyingparty前缀注册多个依赖方,如下例所示
-
属性
-
YAML
spring.security.saml2.relyingparty.registration.my-relying-party1.signing.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party1.signing.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party1.decryption.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party1.decryption.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party1.singlelogout.url=https://myapp/logout/saml2/slo
spring.security.saml2.relyingparty.registration.my-relying-party1.singlelogout.response-url=https://remoteidp2.slo.url
spring.security.saml2.relyingparty.registration.my-relying-party1.singlelogout.binding=POST
spring.security.saml2.relyingparty.registration.my-relying-party1.assertingparty.verification.credentials[0].certificate-location=path-to-verification-cert
spring.security.saml2.relyingparty.registration.my-relying-party1.assertingparty.entity-id=remote-idp-entity-id1
spring.security.saml2.relyingparty.registration.my-relying-party1.assertingparty.sso-url=https://remoteidp1.sso.url
spring.security.saml2.relyingparty.registration.my-relying-party2.signing.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party2.signing.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party2.decryption.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party2.decryption.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.verification.credentials[0].certificate-location=path-to-other-verification-cert
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.entity-id=remote-idp-entity-id2
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.sso-url=https://remoteidp2.sso.url
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.singlelogout.url=https://remoteidp2.slo.url
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.singlelogout.response-url=https://myapp/logout/saml2/slo
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.singlelogout.binding=POSTspring:
security:
saml2:
relyingparty:
registration:
my-relying-party1:
signing:
credentials:
- private-key-location: "path-to-private-key"
certificate-location: "path-to-certificate"
decryption:
credentials:
- private-key-location: "path-to-private-key"
certificate-location: "path-to-certificate"
singlelogout:
url: "https://myapp/logout/saml2/slo"
response-url: "https://remoteidp2.slo.url"
binding: "POST"
assertingparty:
verification:
credentials:
- certificate-location: "path-to-verification-cert"
entity-id: "remote-idp-entity-id1"
sso-url: "https://remoteidp1.sso.url"
my-relying-party2:
signing:
credentials:
- private-key-location: "path-to-private-key"
certificate-location: "path-to-certificate"
decryption:
credentials:
- private-key-location: "path-to-private-key"
certificate-location: "path-to-certificate"
assertingparty:
verification:
credentials:
- certificate-location: "path-to-other-verification-cert"
entity-id: "remote-idp-entity-id2"
sso-url: "https://remoteidp2.sso.url"
singlelogout:
url: "https://remoteidp2.slo.url"
response-url: "https://myapp/logout/saml2/slo"
binding: "POST"对于SAML2注销,默认情况下,Spring Security的Saml2LogoutRequestFilter和Saml2LogoutResponseFilter仅处理与/logout/saml2/slo匹配的URL。如果您想自定义AP启动的注销请求发送到的url或AP发送注销响应到的response-url以使用不同的模式,则需要提供配置来处理该自定义模式。例如,对于servlet应用程序,您可以添加自己的SecurityFilterChain,类似于以下内容
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration(proxyBeanMethods = false)
public class MySamlRelyingPartyConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
http.saml2Login(withDefaults());
http.saml2Logout((saml2) -> saml2.logoutRequest((request) -> request.logoutUrl("/SLOService.saml2"))
.logoutResponse((response) -> response.logoutUrl("/SLOService.saml2")));
return http.build();
}
}
