The samples ...
https://github.com/spring-projects/spring-security-saml/tree/develop/samples/boot
... work nicely. Thanks a lot.
I use: 2.0.0.M17
Derived from the samples, got a working Identity Provider (IP) up-and-running almost according to my basic needs (Spring Sec SAML Extension ).
I referred to the documentation at https://docs.spring.io/spring-security-saml/docs/2.0.x-SNAPSHOT/
Sidenotes:
The Service Provider (SP) side is not implemented with the help of Spring Security
My IP implementation is primarily for testing purposes, similar to Mujina
and also to give a working design-by-contract example.
I lack the following information:
How can I add a custom SAML attribute statement on the IP side?
What declaration exactly determines, that a custom SAML attribute statement is to be provided by the IP, if there is any?
Where is it intended to programatically fill the custom SAML attribute statement? I cannot find a class named SAMLUserDetailsService as it used to be, according to the documentation, which I do not expect to be updated yet.
Would you recommend to modify the samples for my purpose, or is it to still to much work in progress to be used.
Thanks in advance
Related
I'm kinda newbie into the spring world, and I'm trying to run a POC for a SAML SSO assertion-type,
I've implemented locally this project https://github.com/vdenotaris/spring-boot-security-saml-sample
And ran it against SSOCircle, but eventually, I'm gonna need to use my own IDP what I'm trying to do right now, doesn't involve actually validating the user, I want the demo project from the GitHub to point to a different spring project.
That part is actually done, I've added to my IDP-demo page an XML-metadata which is consumed by the Service provider, then in my IDP-demo, I type any email address and it should take me back to the Service Provider (the vdenotaris sample project) with a valid assertion.
How can I dynamically generate this XML assertion? I've read the spring docs and the SAML docs with no luck, If anyone can point me into the right place or even the proper documentation I'll be thankful.
Spring Data REST creates a CRUD web server with a discoverable API, so it seems it should be possible to write a generalized web client application for it. Is there such an application?
May be you are looking for a HAL browser
https://www.baeldung.com/spring-rest-hal
or
something like https://www.npmjs.com/package/angular-spring-data-rest
https://www.npmjs.com/package/angular4-hal
I hope you mean sample client stubs. Actually a web client cannot be generalized beyond the resources it has. That will not be quite meaningful.
You can try below with swagger. Using swagger here would be really convenient (over raml etc) since spring-data-rest generates swagger it self for you.
Take your swagger spec
Paste it at https://editor.swagger.io/.
Go Generate Client => Your favorite programming language.
Then it will generate sample client stubs for you in the language you have selected.
I think this should be the far most generalized point that makes sense.
-Addition-
The primary problem spring-data-rest has solved is abstracting out all the common functionalities attached to controller (ex: response/request mapping etc) and making them readily available and configurable, so that the developer no longer needs to re-invent/duplicate them every time when they are coding a new endpoint.
So as you have suggested generating client-stubs is completely out of spring-data-rest scope. Please read the documentation for more info.
My questions is similar to this SO question.
But I am using Spring security 3.1.4 in which following call is deprecated.
(OpenIDAuthenticationToken)exception.getAuthentication()
What is the alternative mechanism to get OpenIDAuthenticationToken in SimpleUrlAuthenticationFailureHandler implementation?
Thanks for your time and help.
If your requirement is to register users who are not already in your system, you can do that in the same way that the sample application does.
If you need more interaction with the user at that point, then the only alternative to the deprecated method that springs to mind would be to use your own custom exception.
I wanted to know whether it is possible to have custom handler execution just before spring authentication manager. I wanted to validate licenses for the user before he access system. Initially i wrote custom filter and executed it before calling to authentication manager, but in this case he wont be able to access some resources since he is not authenticated, but later i moved my code to sucessHandler of spring which worked fine, except it has some security issues like if open in multiple tabs it fails.
Any help is highly appreciated.
Thanks,
Brijesh
I think what you are looking for is to add a Spring AuthenticationProvider. In short, an AuthenticationManager has a list of AuthenticationProviders, each of which is queried in order. The question and answer to Multiple Authentication Providers in Spring Security has a good explanation of this. The Spring documentation also explains how the various components fit together.
I am currently studying Spring.
While reading a Spring book, I met a part regarding Event.
By using context.publishEvent(..), I could trigger the event.
But I don't know what It's exactly for.
I can use other Method instead of using complicated publishEvent.
Please, tell me. thank you.
Spring Events are used to implement publish-subscribe model (or observer pattern) where two not-related parts of code must be somehow connected.
Think of the analogy of web applications where servlet container creates http sessions and your code is informed about this using javax.servlet.http.HttpSessionListener.
Spring uses this mechanism internally. It's much more visible in Spring Security where several parts of the code are informed about e.g., successfull authentication.