Skip to content

filteringAuth

Jump to bottom
Jim Potter edited this page Dec 14, 2021 · 4 revisions

Filtering access

In SAML (a la federated, education) there is a convention to release specific values of eduPersonEntitlement as a means of licensing. The test IdP releases eduPersonEntitlement == ?lib? - we can use this to assign an authority to a user to grant access:

SAMLSecurityconfig.java:

        http
            .saml2Login(settings) // Customizer...
                .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class).antMatcher("/**")  // 
            .authorizeRequests()
            .antMatchers("/attributes").hasAuthority("ADMIN")
            .anyRequest().authenticated();
  • they need ADMIN authority to access /attributes
  • processing of authorities done in saml2Login(settings)

SAML2LoginSettings.java:

@Component
class Saml2LoginSettings implements Customizer <Saml2LoginConfigurer<HttpSecurity>> {

    @Override
    public void customize(Saml2LoginConfigurer<HttpSecurity> t) {
   
        t.successHandler(new SavedRequestAwareAuthenticationSuccessHandler() {

            @Override
            public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
                    Authentication authentication) throws IOException, ServletException {

                // do stuff here...
                authentication = assignAuthorities (authentication, request);

                super.onAuthenticationSuccess(request, response, authentication);
            }

the 'stuff' in this case is a bit involved... authorities are defined in Authentication but are read only, so we need to jump through some hoops: SAML2LoginSettings.java:

  • create the new authority ("ADMIN" in this case)
  • add it and the existing authorities to a new collection
  • create a new Saml2Authentication with bits form the original Saml2Authentication, replacing the list of authorities
  • tell the relevant places of the new Authentication
private Saml2Authentication assignAuthorities (Authentication authentication, HttpServletRequest request) {
        Collection<SimpleGrantedAuthority> oldAuthorities = (Collection<SimpleGrantedAuthority>)SecurityContextHolder.getContext()
                .getAuthentication().getAuthorities();

        SimpleGrantedAuthority authority = new SimpleGrantedAuthority("ADMIN");
        List<SimpleGrantedAuthority> updatedAuthorities = new ArrayList<SimpleGrantedAuthority>();
        updatedAuthorities.add(authority);
        updatedAuthorities.addAll(oldAuthorities);

        Saml2Authentication sAuth = (Saml2Authentication) authentication;

        sAuth = new Saml2Authentication(
                (AuthenticatedPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal(),
                sAuth.getSaml2Response(),
                updatedAuthorities
        );
        SecurityContextHolder.getContext().setAuthentication(sAuth);

        return sAuth;
    }

If you want conditional authorities based on assertions, add conditionals as required.

Clone this wiki locally