Ways to toggle spring security SAML on and off

3
votes

I have a pretty standard implementation of spring security saml into my application in addition to other authentication mechanisms. Out of the box SAML will not be configured but can be configured through a form, so by default SAML should be disabled. I'd like to easily be able to toggle SAML on / off but am not sure what the best way to do this would be.

It seems like one approach would be to do a custom FilterChainProxy where if I check if saml is enabled and if so to ignore the samlFilter chain(How to delete one filter from default filter stack in Spring Security?) and also do a similar implementation for the Metadata Generator Filter.

Any advice would be great.

Here is my config:

<http auto-config="false" use-expressions="true"
      access-decision-manager-ref="webAccessDecisionManager"
      disable-url-rewriting="false"
      create-session="never"
      authentication-manager-ref="authenticationManager">

    <custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
    <custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
</http>

Metadata Generator Filter:

<beans:bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <beans:constructor-arg>
        <beans:bean class="org.springframework.security.saml.metadata.MetadataGenerator">
            <beans:property name="entityId" value="${saml.entityId}"/>
            <beans:property name="signMetadata" value="${saml.signMetadata}"/>
        </beans:bean>
    </beans:constructor-arg>
</beans:bean>

Saml Filter:

<beans:bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
    <filter-chain-map request-matcher="ant">
        <filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
        <filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
        <filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
        <filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
        <filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
        <filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
        <filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
    </filter-chain-map>
</beans:bean>

EDIT: Here is my implementation, it is a bit hackish and relies on a deprecated method but it works

The below snippet disables MetadataGeneratorFilter:

public class MyMetadataGeneratorFilter extends MetadataGeneratorFilter {

    private boolean isActive = false;

    public MyMetadataGeneratorFilter(MetadataGenerator generator) {
        super(generator);
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        if (isActive) {
            processMetadataInitialization((HttpServletRequest) request);
        }
        chain.doFilter(request, response);
    }

    public void setActive(boolean active) {
        isActive = active;
    }
}

There is also the samlFilter / FilterChainMap which is autowired. If saml is enabled, I leave this chain as is, if it is disabled, I set the chain to an empty map in my service which enables / disables saml.

Upon initialization, I get the filterchainmap values:

private Map<RequestMatcher, List<Filter>> map;

@Override
public void init() throws ServiceException, MetadataProviderException {

    SamlConfig samlConfig = getConfig();
    map = samlFilter.getFilterChainMap();

    applySamlConfig(samlConfig);

}

In the below method, I set the filter chain map to either the original map provided in the spring xml(if enabled) or an empty map (if disabled).

public void applySamlConfig(SamlConfig samlConfig) throws ServiceException, MetadataProviderException {


    if (!samlConfig.isEnabled()) {
        Map<RequestMatcher, List<Filter>> emptyMap = samlFilter.getFilterChainMap();
        emptyMap.clear();
        samlFilter.setFilterChainMap(emptyMap);
        return;
    }

    samlFilter.setFilterChainMap(map);
3
spring-securityspring-saml
Are you planning to do this on a live application or you can afford to change the settings and restart the server?dharam
@dharam, Ideally you don't have to restart but having to restart would be acceptable.TheTurkish
@TheTurkish. Did you resolved this issue? Now i want the same behavior what you are expecting but i am using annotation instead of xml could you please let me know how you resolved this issue?VelNaga

3 Answers

2
votes

i added a custom filter in the entry-point-ref definition. This filter skips all following filters if the feature is not enabled.

<security:http entry-point-ref="samlEntryPoint">
  <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
  <!-- This filter checks if the SSO-Feature is enabled - otherwise all following security filters will be skipped -->
  <security:custom-filter before="BASIC_AUTH_FILTER" ref="ssoEnabledFilter"/>
  <security:custom-filter before="FIRST" ref="metadataGeneratorFilter" />
  <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter" />

The ssoEnabledFilter:

    public class SsoEnabledFilter extends GenericFilterBean {

    @Override
    public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain filterChain) throws IOException, ServletException {
        boolean ssoEnabled = isSsoEnabled();

        if (ssoEnabled) {
            filterChain.doFilter(request, response);
        } else {
            request.getRequestDispatcher(((HttpServletRequest) request).getServletPath()).forward(request, response);
        }
      }
   }
1
votes

So far I've been implementing this using a custom Spring namespace which includes or skips certain beans based on the backend configuration and reloading of the Spring context in case the backend configuration changes.

1
votes

Edit : fixed error signaled by TheTurkish

If you want to be able to switch the use of SAML on a running application, the simpler would be to use a wrapper around samlFilter. For example

public class FilterWrapper extends GenericFilterBean {

    private Filter inner;
    private boolean active;
    private boolean targetFilterLifeCycle = false;


    public Filter getInner() {
        return inner;
    }

    public void setInner(Filter inner) {
        this.inner = inner;
    }

    public boolean isActive() {
        return active;
    }

    public void setActive(boolean active) {
        this.active = active;
    }

    @Override
    public void doFilter(ServletRequest sr, ServletResponse sr1, FilterChain fc) throws IOException, ServletException {
        if (active) {
            inner.doFilter(sr, sr1, fc);
        }
        else {
            fc.doFilter(str,sr1);
        }
    }

    @Override
    protected void initFilterBean() throws ServletException {
        super.initFilterBean();
        if (inner == null) {
            throw new ServletException("Inner cannot be null");
        }
        if (targetFilterLifeCycle) {
            inner.init(getFilterConfig());
        }
    }

    @Override
    public void destroy() {
        super.destroy();
        if (inner != null && targetFilterLifeCycle) {
            inner.destroy();
        }
    }
}

You can use it that way : 

<bean id="samlFilter" class="...FilterWrapper" p:active="false">
    <property name=inner>
        <!-- the real samlFilter bean -->
        <bean class="org.springframework.security.web.FilterChainProxy">
        ...
        </bean>
    </property>
</bean>

As it is a bean, you inject it where you want to activate/deactivate Saml and simple call :

samlFilter.setActive(active);