Search code examples
spring-securityspring-security-oauth2spring-saml

SAML OAuth Integration - toggle SAML

We are implementing the flexibility to configure OAuth or SAML or both OAuth and SAML. Configured the following in the saml security context:

<security:http pattern="/oauth/authorize/**" entry-point-ref="samlEntryPoint" use-expressions="true">
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter" />
 ........
 ........


<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
        <security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint" />     
        <security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter" />
        <security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter" />
        <security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter" />
        <security:filter-chain pattern="/oauth/authorize/**" filters="samlEntryPoint" />
    </security:filter-chain-map>
</bean>

There is a configurable property which determines whether SAML is enabled or disabled. How can I skip the samlEntryPoint from getting invoked when SAML is disabled? Application is always restarted when toggling SAML, I don't have to consider the use case of switching it on/off when the application is running.

Any help is appreciated.

Solution

  • How can I skip the samlEntryPoint from getting invoked when SAML is disabled?

    To have various authentication schemes, you can use Spring profiles and write separate security contexts files. This is how you do it :

    <beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
                       http://www.springframework.org/schema/beans/spring-beans.xsd">

    <!-- Spring Security configuration for SAML only authentication --> 
    <beans profile="auth-saml">
        <import resource="security/applicationContext-security-saml.xml" />
    </beans>

    <!-- Spring Security configuration for OAUTH only authentication -->
    <beans profile="auth-oauth">
        <import resource="security/applicationContext-security-oauth.xml" />
    </beans>

    <!-- Spring Security configuration for SAML+OAUTH authentication -->
    <beans profile="auth-saml-oauth">
        <import resource="security/applicationContext-security-saml-oauth.xml" />
    </beans>

</beans>

    Then you choose the active Spring profile with the environment variable spring.profiles.active with value corresponding to the profile attribute value (either auth-saml, auth-oauth or auth-saml-oauth).