您至少有两个选择。
一种是实现自定义RequestMatcher
(org.springframework.security.web.util.RequestMatcher
),该自定义()在Spring SAML URL上将不匹配,并将其通过以下方式提供给csrf配置:
http.csrf().requireCsrfProtectionMatcher(matcher);
另一个更简单的方法是在单独的http配置中定义Spring SAML端点,该配置不会启用csrf保护。
用于执行此操作的XML配置可以类似于:
<!-- SAML processing endpoints -->
<security:http pattern="/saml/**" entry-point-ref="samlEntryPoint">
<security:custom-filter before="FIRST" ref="MetadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</security:http>
<!-- Secured pages with SAML as entry point -->
<security:http entry-point-ref="samlEntryPoint">
<security:csrf />
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:custom-filter before="FIRST" ref="MetadataGeneratorFilter"/>
</security:http>
对于Java配置,这样的方法应该起作用:
@Configuration
@EnableWebSecurity
public class MutlipleHttpConfigurationConfig {
@Configuration
@Order(1)
public static class SAMLWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/saml/**");
http.csrf().disable();
http.httpBasic().authenticationEntryPoint(samlEntryPoint());
http.addFilterBefore(MetadataGeneratorFilter(),
ChannelProcessingFilter.class).addFilterAfter(samlFilter(),
BasicAuthenticationFilter.class);
}
}
@Configuration
public static class BasicWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().authenticationEntryPoint(samlEntryPoint());
http.addFilterBefore(MetadataGeneratorFilter(), ChannelProcessingFilter.class);
http
.authorizeRequests()
.antMatchers("/error").permitAll()
.anyRequest()
.hasAnyAuthority("MyRole")
.anyRequest().authenticated();
http.logout().logoutSuccessUrl("/");
}
}
}
可以在Spring Security手册中找到有关使用Java配置定义多个http配置的详细信息。