Spring 安全性从 2.1.0 -> 2.5.0 SAML - 许多弃用
Spring Security from 2.1.0 -> 2.5.0 SAML - many deprecations
关于 Spring 安全 2.5.0 的小问题。
曾经在 2.1.0 有一个 Spring Boot + Spring 安全项目。
现在我进行了升级,升级到 Spring Boot 2.5.0 + spring-security-saml2-service-provider 5.5.0
业务逻辑运行良好,我们将其用于 SAML 身份验证,没有问题。
我们有一个片段是:
//local signing (and decryption key)
Saml2X509Credential signingCredential = getSigningCredential();
//IDP certificate for verification of incoming messages
Saml2X509Credential idpVerificationCertificate = getVerificationCertificate();
String acsUrlTemplate = "{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI;
return RelyingPartyRegistration.withRegistrationId(registrationId)
.remoteIdpEntityId(idpEntityId)
.idpWebSsoUrl(webSsoEndpoint)
.credentials(c -> c.add(signingCredential))
.credentials(c -> c.add(idpVerificationCertificate))
.localEntityIdTemplate(localEntityIdTemplate)
.assertionConsumerServiceUrlTemplate(acsUrlTemplate)
.build();
同样,工作得很好。
我们将项目升级到最新的(截至撰写本文时)2.5.0,并且在该代码段的大部分行中看到了弃用。
尝试查看 Spring Security 5.5.0,建议改用 assertionConsumerServiceLocation。
但是我很难理解,替换所有内容的字符串是什么?
return RelyingPartyRegistration.withRegistrationId(registrationId).assertionConsumerServiceLocation("what comes here?").build();
有什么帮助吗?
弃用的动机是我们应该在 RelyingPartyRegistration 中使用 Spec Language。
约定已更改,以更好地遵循注册要表示的元数据描述符。
For example, RelyingPartyRegistration.ProviderDetails contains a method called getWebSsoUrl, but this doesn't readily map to anything in the IDPSSODescriptor. It would be clearer to name it getSingleSignOnServiceLocation since this information is located in <SingleSignOnService Location='${LOCATION}'/>.
您可以在该方法的 javadoc 中看到您应该使用什么。像这样:
/**
* @deprecated Use {@link #assertionConsumerServiceLocation} instead.
*/
@Deprecated
public Builder assertionConsumerServiceUrlTemplate(String assertionConsumerServiceUrlTemplate) {
this.assertionConsumerServiceLocation = assertionConsumerServiceUrlTemplate;
return this;
}
查看 Spring 安全文档后,这在新的 Spring 安全 5.5+ 版本中是等效的:
RelyingPartyRegistration getSaml2AuthenticationConfiguration() {
//remote IDP entity ID
String idpEntityId = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SSOService.php";
//remote WebSSO Endpoint - Where to Send AuthNRequests to
String webSsoEndpoint = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php";
String acsUrlTemplate = "{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI;
//local signing (and decryption key)
Saml2X509Credential relyingPartySigningCredential = getSigningCredential();
//IDP certificate for verification of incoming messages
Saml2X509Credential assertingPartyVerificationCredential = getVerificationCertificate();
//local registration ID
String registrationId = "registrationId";
//local entity ID - autogenerated based on URL
String localEntityIdTemplate = "localEntityIdTemplate";
return RelyingPartyRegistration
.withRegistrationId(registrationId)
.entityId(localEntityIdTemplate)
.assertionConsumerServiceLocation(acsUrlTemplate)
.signingX509Credentials(c -> c.add(relyingPartySigningCredential))
.assertingPartyDetails(details -> details
.verificationX509Credentials(c -> c.add(assertingPartyVerificationCredential))
.singleSignOnServiceLocation(webSsoEndpoint)
.entityId(idpEntityId)).build();
}
关于 Spring 安全 2.5.0 的小问题。
曾经在 2.1.0 有一个 Spring Boot + Spring 安全项目。
现在我进行了升级,升级到 Spring Boot 2.5.0 + spring-security-saml2-service-provider 5.5.0
业务逻辑运行良好,我们将其用于 SAML 身份验证,没有问题。
我们有一个片段是:
//local signing (and decryption key)
Saml2X509Credential signingCredential = getSigningCredential();
//IDP certificate for verification of incoming messages
Saml2X509Credential idpVerificationCertificate = getVerificationCertificate();
String acsUrlTemplate = "{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI;
return RelyingPartyRegistration.withRegistrationId(registrationId)
.remoteIdpEntityId(idpEntityId)
.idpWebSsoUrl(webSsoEndpoint)
.credentials(c -> c.add(signingCredential))
.credentials(c -> c.add(idpVerificationCertificate))
.localEntityIdTemplate(localEntityIdTemplate)
.assertionConsumerServiceUrlTemplate(acsUrlTemplate)
.build();
同样,工作得很好。
我们将项目升级到最新的(截至撰写本文时)2.5.0,并且在该代码段的大部分行中看到了弃用。
尝试查看 Spring Security 5.5.0,建议改用 assertionConsumerServiceLocation。
但是我很难理解,替换所有内容的字符串是什么?
return RelyingPartyRegistration.withRegistrationId(registrationId).assertionConsumerServiceLocation("what comes here?").build();
有什么帮助吗?
弃用的动机是我们应该在 RelyingPartyRegistration 中使用 Spec Language。
约定已更改,以更好地遵循注册要表示的元数据描述符。
For example, RelyingPartyRegistration.ProviderDetails contains a method called getWebSsoUrl, but this doesn't readily map to anything in the IDPSSODescriptor. It would be clearer to name it getSingleSignOnServiceLocation since this information is located in <SingleSignOnService Location='${LOCATION}'/>.
您可以在该方法的 javadoc 中看到您应该使用什么。像这样:
/**
* @deprecated Use {@link #assertionConsumerServiceLocation} instead.
*/
@Deprecated
public Builder assertionConsumerServiceUrlTemplate(String assertionConsumerServiceUrlTemplate) {
this.assertionConsumerServiceLocation = assertionConsumerServiceUrlTemplate;
return this;
}
查看 Spring 安全文档后,这在新的 Spring 安全 5.5+ 版本中是等效的:
RelyingPartyRegistration getSaml2AuthenticationConfiguration() {
//remote IDP entity ID
String idpEntityId = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SSOService.php";
//remote WebSSO Endpoint - Where to Send AuthNRequests to
String webSsoEndpoint = "https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php";
String acsUrlTemplate = "{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI;
//local signing (and decryption key)
Saml2X509Credential relyingPartySigningCredential = getSigningCredential();
//IDP certificate for verification of incoming messages
Saml2X509Credential assertingPartyVerificationCredential = getVerificationCertificate();
//local registration ID
String registrationId = "registrationId";
//local entity ID - autogenerated based on URL
String localEntityIdTemplate = "localEntityIdTemplate";
return RelyingPartyRegistration
.withRegistrationId(registrationId)
.entityId(localEntityIdTemplate)
.assertionConsumerServiceLocation(acsUrlTemplate)
.signingX509Credentials(c -> c.add(relyingPartySigningCredential))
.assertingPartyDetails(details -> details
.verificationX509Credentials(c -> c.add(assertingPartyVerificationCredential))
.singleSignOnServiceLocation(webSsoEndpoint)
.entityId(idpEntityId)).build();
}