org.springframework.security.config.annotation.web.configurers.saml2

Class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<T,B>

org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer<B,Saml2LoginConfigurer<B>,org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter>

org.springframework.security.config.annotation.web.configurers.saml2.Saml2LoginConfigurer<B>

All Implemented Interfaces:

SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,B>

public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
extends AbstractAuthenticationFilterConfigurer<B,Saml2LoginConfigurer<B>,org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter>

An AbstractHttpConfigurer for SAML 2.0 Login, which leverages the SAML 2.0 Web Browser Single Sign On (WebSSO) Flow.

SAML 2.0 Login provides an application with the capability to have users log in by using their existing account at an SAML 2.0 Identity Provider.

Defaults are provided for all configuration options with the only required configuration being relyingPartyRegistrationRepository(RelyingPartyRegistrationRepository) . Alternatively, a RelyingPartyRegistrationRepository @Bean may be registered instead.

Security Filters

The following Filter's are populated:

• Saml2WebSsoAuthenticationFilter
• Saml2WebSsoAuthenticationRequestFilter

Shared Objects Created

The following shared objects are populated:

• RelyingPartyRegistrationRepository (required)
• Saml2AuthenticationRequestFactory (optional)

Shared Objects Used

The following shared objects are used:

• RelyingPartyRegistrationRepository (required)
• Saml2AuthenticationRequestFactory (optional)
• DefaultLoginPageGeneratingFilter - if loginPage(String) is not configured and DefaultLoginPageGeneratingFilter is available, than a default login page will be made available

Since:

5.2

See Also:

HttpSecurity.saml2Login(), Saml2WebSsoAuthenticationFilter, Saml2WebSsoAuthenticationRequestFilter, RelyingPartyRegistrationRepository, AbstractAuthenticationFilterConfigurer

Constructor Summary

Constructors

Constructor and Description
Saml2LoginConfigurer()

Method Summary

Modifier and Type	Method and Description
Saml2LoginConfigurer<B>	authenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager) Allows a configuration of a AuthenticationManager to be used during SAML 2 authentication.
void	configure(B http) Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
protected org.springframework.security.web.util.matcher.RequestMatcher	createLoginProcessingUrlMatcher(java.lang.String loginProcessingUrl) Create the RequestMatcher given a loginProcessingUrl
void	init(B http) Initialize the SecurityBuilder.
Saml2LoginConfigurer<B>	loginPage(java.lang.String loginPage) Specifies the URL to send users to if login is required.
Saml2LoginConfigurer<B>	loginProcessingUrl(java.lang.String loginProcessingUrl) Specifies the URL to validate the credentials.
Saml2LoginConfigurer	relyingPartyRegistrationRepository(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository repo) Sets the RelyingPartyRegistrationRepository of relying parties, each party representing a service provider, SP and this host, and identity provider, IDP pair that communicate with each other.

Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer

authenticationDetailsSource, defaultSuccessUrl, defaultSuccessUrl, failureHandler, failureUrl, getAuthenticationEntryPoint, getAuthenticationEntryPointMatcher, getAuthenticationFilter, getFailureUrl, getLoginPage, getLoginProcessingUrl, isCustomLoginPage, permitAll, permitAll, registerAuthenticationEntryPoint, registerDefaultAuthenticationEntryPoint, setAuthenticationFilter, successHandler, updateAccessDefaults, updateAuthenticationDefaults

Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer

disable, withObjectPostProcessor

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

addObjectPostProcessor, and, getBuilder, postProcess, setBuilder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

Saml2LoginConfigurer

public Saml2LoginConfigurer()

Method Detail

authenticationManager

public Saml2LoginConfigurer<B> authenticationManager(org.springframework.security.authentication.AuthenticationManager authenticationManager)

Allows a configuration of a AuthenticationManager to be used during SAML 2 authentication. If none is specified, the system will create one inject it into the Saml2WebSsoAuthenticationFilter

Parameters:

authenticationManager - the authentication manager to be used

Returns:

the Saml2LoginConfigurer for further configuration

Throws:

java.lang.IllegalArgumentException - if authenticationManager is null configure the default manager

Since:

5.3

relyingPartyRegistrationRepository

public Saml2LoginConfigurer relyingPartyRegistrationRepository(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository repo)

Sets the RelyingPartyRegistrationRepository of relying parties, each party representing a service provider, SP and this host, and identity provider, IDP pair that communicate with each other.

Parameters:

repo - the repository of relying parties

Returns:

the Saml2LoginConfigurer for further configuration

loginPage

public Saml2LoginConfigurer<B> loginPage(java.lang.String loginPage)

Specifies the URL to send users to if login is required. If used with WebSecurityConfigurerAdapter a default login page will be generated when this attribute is not specified.

If a URL is specified or this is not being used in conjuction with WebSecurityConfigurerAdapter, users are required to process the specified URL to generate a login page.

Overrides:

loginPage in class AbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>,org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter>

loginProcessingUrl

public Saml2LoginConfigurer<B> loginProcessingUrl(java.lang.String loginProcessingUrl)

Specifies the URL to validate the credentials.

Overrides:

loginProcessingUrl in class AbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>,org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter>

Parameters:

loginProcessingUrl - the URL to validate username and password

Returns:

the FormLoginConfigurer for additional customization

createLoginProcessingUrlMatcher

protected org.springframework.security.web.util.matcher.RequestMatcher createLoginProcessingUrlMatcher(java.lang.String loginProcessingUrl)

Create the RequestMatcher given a loginProcessingUrl

Specified by:

createLoginProcessingUrlMatcher in class AbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>,org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter>

Parameters:

loginProcessingUrl - creates the RequestMatcher based upon the loginProcessingUrl

Returns:

the RequestMatcher to use based upon the loginProcessingUrl

init

public void init(B http)
          throws java.lang.Exception

Initialize the SecurityBuilder. Here only shared state should be created and modified, but not properties on the SecurityBuilder used for building the object. This ensures that the SecurityConfigurer.configure(SecurityBuilder) method uses the correct shared objects when building. Configurers should be applied here. Initializes this filter chain for SAML 2 Login. The following actions are taken:

• The WebSSO endpoint has CSRF disabled, typically /login/saml2/sso
• A is configured
• The loginProcessingUrl is set
• A custom login page is configured, or
• A default login page with all SAML 2.0 Identity Providers is configured
• An OpenSamlAuthenticationProvider is configured

Specified by:

init in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,B extends HttpSecurityBuilder<B>>

Overrides:

init in class AbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>,org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter>

Throws:

java.lang.Exception

configure

public void configure(B http)
               throws java.lang.Exception

Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder. During the configure phase, a Saml2WebSsoAuthenticationRequestFilter is added to handle SAML 2.0 AuthNRequest redirects

Specified by:

configure in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,B extends HttpSecurityBuilder<B>>

Overrides:

configure in class AbstractAuthenticationFilterConfigurer<B extends HttpSecurityBuilder<B>,Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>,org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter>

Throws:

java.lang.Exception