Announcement Announcement Module
Collapse
No announcement yet.
Multiple SAMLEntryPoint/WebSSOProfileOptions based on URL supported? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple SAMLEntryPoint/WebSSOProfileOptions based on URL supported?

    Hello,

    I tried creating a new SAMLEntryPoint that has a custom "authnContext" for my IDP as follows:

    <bean id="samlEntryPoint2" class="org.springframework.security.saml.SAMLEntry Point">
    <property name="defaultProfileOptions">
    <bean class="org.springframework.security.saml.websso.We bSSOProfileOptions">
    <property name="includeScoping" value="false"/>
    <property name="authnContexts">
    <list>
    <value>urn:custom:Level2</value>
    </list>
    </property>
    <property name="authnContextComparison" value="EXACT"/>
    </bean>
    </property>
    </bean>



    I then changed the security:http element to point to this as follows:

    <security:http entry-point-ref="samlEntryPoint2">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
    <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
    </security:http>

    This works great!

    However, I want to be able to use the two different SAMLEntryPoint's -- "samlEntryPoint" and "samlEntryPoint2" based on the URL. I tried adding this:
    <security:http entry-point-ref="samlEntryPoint2">
    <security:intercept-url pattern="/ecslogin.jsp" access="IS_AUTHENTICATED_FULLY"/>
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
    <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
    </security:http>
    <security:http entry-point-ref="samlEntryPoint">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
    <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
    </security:http>

    but I get some error in the logs:
    ERROR 2013-03-05 15:08:26,283 [main] org.springframework.web.context.ContextLoader: Context initialization failed
    org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration
    at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.initializeBean(Abstract AutowireCapableBeanFactory.java:1422)
    ...
    Caused by: java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined before other patterns in the filter chain, causing them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration

    Do you know whether it is possible to have different SAMLEntryPoint/WebSSOProfileOptions based on URL?
    If it is possible, would you have hints on how to configure it?

    TIA

  • #2
    Ok, I figured out that it is indeed possible with your Spring SAML implementation.
    My problem was one of Spring Security configuration - or misconfiguration

    Everything works as expected once I added the pattern attribute to the http element that I inserted before the "default":
    <security:http entry-point-ref="samlEntryPoint2" pattern="/ecslogin.jsp">

    Comment

    Working...
    X