search

ulisesbocchio / spring-boot-security-saml

spring-security-saml integration with Spring Boot
MIT License
157 stars 72 forks source link

SAMLServiceProviderSecurityConfiguration default ordering #87

Closed Limfaylay closed 4 years ago

Limfaylay commented 4 years ago

Hi there!

I'm trying to implement multiple authentication strategies in a single microservice. I have separate files / functions to help me manage the possible paths for securing my endpoints with different auth methods.

I'm making use of @Order, but have noticed that the default (and unchangeable) order when making use of ServiceProviderConfigurerAdapter is -17. I can force the functionality that I need by introducing numbers lower than -17, but it starts to look like I'm introducing magic numbers in the code, and I'm also afraid that this may have some unexpected side-effect when using this class.

Is there any reason for choosing this number in specific, and is there any way to make this a parameter we can edit?

Thanks, Matt

ulisesbocchio commented 4 years ago

Number -17 is in SAMLWebSecurityConfigurer. That's just an arbitrary number that allows the SAML config to load properly in the Spring context. If I would have used Ordered.HIGHEST_PRECEDENE you wouldn't be able to plugin your stuff, and if I would have used Ordered.LOWEST_PRECENDECE this plugin wouldn't work. So... you have to choose something in between. I don't know of any way of setting the number through config since getOrder goes in Configuration classes either by implementing Ordered or by adding the @Order annotation. That said, I think it would be interesting if Spring had some sort of way to override this order in a simple manner, if for instance each plugin can annotate their config with a Plugin Name and a default order, that then you could re-arrange by that name in your app as you please. But for something like this to work with everything out there you'd need widespread support. A poor's man version of that could potentially work if you:

  1. suppress all auto-configuration for the security plugins you use
  2. create new configuration classes that @Import directly the auto-configuration defining a new Order in your new configuration class.

For security alone you could do something similar with WebSecurityConfigurerAdapter (look at the usage of SAMLConfigurerBean)

Limfaylay commented 4 years ago

I see now, thank you!

On the note of the usage of SAMLConfigurerBean, I would suggest that you add the code block that prevents the infinite loop auth error to the README documentation.

@Override
protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth.parentAuthenticationManager(null);
}

Overall a great library! Thanks so much.