对于最新的稳定版本,请使用 Spring Boot 3.4.0spring-doc.cn

Spring Security

如果 Spring Security 在 Classpath 上,则默认情况下 Web 应用程序是安全的。 Spring Boot 依赖于 Spring Security 的内容协商策略来确定是使用 or 。 要向 Web 应用程序添加方法级安全性,您还可以使用所需设置添加 @EnableGlobalMethodSecurity。 其他信息可以在 Spring Security Reference Guide 中找到。httpBasicformLoginspring-doc.cn

默认的 UserDetailsService 只有一个用户。 用户名为 ,密码是随机的,在应用程序启动时以 WARN 级别打印,如以下示例所示:userspring-doc.cn

Using generated security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35

This generated password is for development use only. Your security configuration must be updated before running your application in production.
如果您微调日志记录配置,请确保将 category 设置为 log -level messages。 否则,不会打印默认密码。org.springframework.boot.autoconfigure.securityWARN

您可以通过提供 和 来更改用户名和密码。spring.security.user.namespring.security.user.passwordspring-doc.cn

默认情况下,您在 Web 应用程序中获得的基本功能包括:spring-doc.cn

你可以通过为其添加 Bean 来提供不同的AuthenticationEventPublisherspring-doc.cn

MVC 安全性

默认安全配置在 SecurityAutoConfigurationUserDetailsServiceAutoConfiguration 中实现。SecurityAutoConfiguration 用于 Web 安全导入,UserDetailsServiceAutoConfiguration 配置身份验证,这在非 Web 应用程序中也相关。SpringBootWebSecurityConfigurationspring-doc.cn

要完全关闭默认的 Web 应用程序安全配置,包括 Actuator 安全性,或组合多个 Spring Security 组件,例如 OAuth2 客户端和资源服务器,请添加类型为SecurityFilterChain的 bean(这样做不会禁用UserDetailsService配置)。 要同时关闭UserDetailsService配置,请添加UserDetailsServiceAuthenticationProviderAuthenticationManager类型的 Bean。spring-doc.cn

UserDetailsService的自动配置还将退出 Classpath 上的以下任何 Spring Security 模块:spring-doc.cn

除了这些依赖项中的一个或多个之外,还要使用 UserDetailsService,请定义你自己的 InMemoryUserDetailsManager Bean。spring-doc.cn

可以通过添加自定义 SecurityFilterChain bean 来覆盖访问规则。 Spring Boot 提供了方便的方法,可用于覆盖 actuator endpoints 和 static 资源的访问规则。EndpointRequest 可用于创建基于该属性的 RequestMatcherPathRequest 可用于为常用位置中的资源创建 RequestMatchermanagement.endpoints.web.base-pathspring-doc.cn

WebFlux 安全性

与 Spring MVC 应用程序类似,您可以通过添加依赖项来保护 WebFlux 应用程序。 默认安全配置在 ReactiveSecurityAutoConfigurationUserDetailsServiceAutoConfiguration 中实现。ReactiveSecurityAutoConfiguration 导入用于 Web 安全,UserDetailsServiceAutoConfiguration 配置身份验证,这在非 Web 应用程序中也相关。spring-boot-starter-securityWebFluxSecurityConfigurationspring-doc.cn

要完全关闭默认的 Web 应用程序安全配置,包括 Actuator 安全配置,请添加WebFilterChainProxy类型的 Bean(这样做不会禁用UserDetailsService配置)。 要同时关闭UserDetailsService配置,请添加ReactiveUserDetailsServiceReactiveAuthenticationManager类型的 Bean。spring-doc.cn

当以下任何 Spring Security 模块位于 Classpath 上时,自动配置也将退缩:spring-doc.cn

除了这些依赖项中的一个或多个之外,要使用ReactiveUserDetailsService,请定义你自己的MapReactiveUserDetailsService Bean。spring-doc.cn

可以通过添加自定义SecurityWebFilterChain bean 来配置访问规则和多个 Spring Security 组件(例如 OAuth 2 客户端和资源服务器)的使用。 Spring Boot 提供了方便的方法,可用于覆盖 actuator endpoints 和 static 资源的访问规则。EndpointRequest 可用于创建基于该属性的 ServerWebExchangeMatchermanagement.endpoints.web.base-pathspring-doc.cn

PathRequest 可用于为常用位置中的资源创建 ServerWebExchangeMatcherspring-doc.cn

例如,您可以通过添加如下内容来自定义您的安全配置:spring-doc.cn

import org.springframework.boot.autoconfigure.security.reactive.PathRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;

import static org.springframework.security.config.Customizer.withDefaults;

@Configuration(proxyBeanMethods = false)
public class MyWebFluxSecurityConfiguration {

	@Bean
	public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
		http.authorizeExchange((exchange) -> {
			exchange.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll();
			exchange.pathMatchers("/foo", "/bar").authenticated();
		});
		http.formLogin(withDefaults());
		return http.build();
	}

}
import org.springframework.boot.autoconfigure.security.reactive.PathRequest
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.Customizer.withDefaults
import org.springframework.security.config.web.server.ServerHttpSecurity
import org.springframework.security.web.server.SecurityWebFilterChain

@Configuration(proxyBeanMethods = false)
class MyWebFluxSecurityConfiguration {

	@Bean
	fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
		http.authorizeExchange { spec ->
			spec.matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
			spec.pathMatchers("/foo", "/bar").authenticated()
		}
		http.formLogin(withDefaults())
		return http.build()
	}

}

OAuth2

OAuth2 是 Spring 支持的广泛使用的授权框架。spring-doc.cn

客户端

如果您在 Classpath 上,则可以利用一些自动配置来设置 OAuth2/Open ID Connect 客户端。 此配置使用 OAuth2ClientProperties 下的属性。 相同的属性适用于 servlet 和 reactive 应用程序。spring-security-oauth2-clientspring-doc.cn

您可以在前缀下注册多个 OAuth2 客户端和提供程序,如以下示例所示:spring.security.oauth2.clientspring-doc.cn

spring.security.oauth2.client.registration.my-login-client.client-id=abcd
spring.security.oauth2.client.registration.my-login-client.client-secret=password
spring.security.oauth2.client.registration.my-login-client.client-name=Client for OpenID Connect
spring.security.oauth2.client.registration.my-login-client.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-login-client.scope=openid,profile,email,phone,address
spring.security.oauth2.client.registration.my-login-client.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}
spring.security.oauth2.client.registration.my-login-client.client-authentication-method=client_secret_basic
spring.security.oauth2.client.registration.my-login-client.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.my-client-1.client-id=abcd
spring.security.oauth2.client.registration.my-client-1.client-secret=password
spring.security.oauth2.client.registration.my-client-1.client-name=Client for user scope
spring.security.oauth2.client.registration.my-client-1.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-1.scope=user
spring.security.oauth2.client.registration.my-client-1.redirect-uri={baseUrl}/authorized/user
spring.security.oauth2.client.registration.my-client-1.client-authentication-method=client_secret_basic
spring.security.oauth2.client.registration.my-client-1.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.my-client-2.client-id=abcd
spring.security.oauth2.client.registration.my-client-2.client-secret=password
spring.security.oauth2.client.registration.my-client-2.client-name=Client for email scope
spring.security.oauth2.client.registration.my-client-2.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-2.scope=email
spring.security.oauth2.client.registration.my-client-2.redirect-uri={baseUrl}/authorized/email
spring.security.oauth2.client.registration.my-client-2.client-authentication-method=client_secret_basic
spring.security.oauth2.client.registration.my-client-2.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=https://my-auth-server.com/oauth2/authorize
spring.security.oauth2.client.provider.my-oauth-provider.token-uri=https://my-auth-server.com/oauth2/token
spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=https://my-auth-server.com/userinfo
spring.security.oauth2.client.provider.my-oauth-provider.user-info-authentication-method=header
spring.security.oauth2.client.provider.my-oauth-provider.jwk-set-uri=https://my-auth-server.com/oauth2/jwks
spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=name
spring:
  security:
    oauth2:
      client:
        registration:
          my-login-client:
            client-id: "abcd"
            client-secret: "password"
            client-name: "Client for OpenID Connect"
            provider: "my-oauth-provider"
            scope: "openid,profile,email,phone,address"
            redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
            client-authentication-method: "client_secret_basic"
            authorization-grant-type: "authorization_code"

          my-client-1:
            client-id: "abcd"
            client-secret: "password"
            client-name: "Client for user scope"
            provider: "my-oauth-provider"
            scope: "user"
            redirect-uri: "{baseUrl}/authorized/user"
            client-authentication-method: "client_secret_basic"
            authorization-grant-type: "authorization_code"

          my-client-2:
            client-id: "abcd"
            client-secret: "password"
            client-name: "Client for email scope"
            provider: "my-oauth-provider"
            scope: "email"
            redirect-uri: "{baseUrl}/authorized/email"
            client-authentication-method: "client_secret_basic"
            authorization-grant-type: "authorization_code"

        provider:
          my-oauth-provider:
            authorization-uri: "https://my-auth-server.com/oauth2/authorize"
            token-uri: "https://my-auth-server.com/oauth2/token"
            user-info-uri: "https://my-auth-server.com/userinfo"
            user-info-authentication-method: "header"
            jwk-set-uri: "https://my-auth-server.com/oauth2/jwks"
            user-name-attribute: "name"

对于支持 OpenID Connect 发现的 OpenID Connect 提供商,可以进一步简化配置。 提供程序需要配置一个 which ,这是它断言为其颁发者标识符的 URI。 例如,如果提供的是 “https://example.com”,则将向 “https://example.com/.well-known/openid-configuration” 发出“OpenID 提供程序配置请求”。 结果应为“OpenID Provider Configuration Response”。 以下示例显示了如何使用 OpenID Connect 提供程序配置:issuer-uriissuer-uriissuer-urispring-doc.cn

spring.security.oauth2.client.provider.oidc-provider.issuer-uri=https://dev-123456.oktapreview.com/oauth2/default/
spring:
  security:
    oauth2:
      client:
        provider:
          oidc-provider:
            issuer-uri: "https://dev-123456.oktapreview.com/oauth2/default/"

默认情况下,Spring Security 的 OAuth2LoginAuthenticationFilter 仅处理匹配 URL 的 URL。 如果要自定义 以使用不同的模式,则需要提供配置来处理该自定义模式。 例如,对于 servlet 应用程序,您可以添加自己的SecurityFilterChain,如下所示:/login/oauth2/code/*redirect-urispring-doc.cn

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
public class MyOAuthClientConfiguration {

	@Bean
	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
		http
			.authorizeHttpRequests((requests) -> requests
				.anyRequest().authenticated()
			)
			.oauth2Login((login) -> login
				.redirectionEndpoint((endpoint) -> endpoint
					.baseUri("/login/oauth2/callback/*")
				)
			);
		return http.build();
	}

}
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.invoke
import org.springframework.security.web.SecurityFilterChain

@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
open class MyOAuthClientConfiguration {

	@Bean
	open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
		http {
			authorizeHttpRequests {
				authorize(anyRequest, authenticated)
			}
			oauth2Login {
				redirectionEndpoint {
					baseUri = "/login/oauth2/callback/*"
				}
			}
		}
		return http.build()
	}

}
Spring Boot 自动配置InMemoryOAuth2AuthorizedClientService,Spring Security 使用它来管理客户端注册。 InMemoryOAuth2AuthorizedClientService 的功能有限,我们建议仅将其用于开发环境。 对于生产环境,请考虑使用 JdbcOAuth2AuthorizedClientService 或创建自己的 OAuth2AuthorizedClientService 实现。

常见提供商的 OAuth2 客户端注册

对于常见的 OAuth2 和 OpenID 提供商,包括 Google、Github、Facebook 和 Okta,我们提供了一组提供商默认值(分别为、、、 和 )。googlegithubfacebookoktaspring-doc.cn

如果您不需要自定义这些提供程序,则可以将该属性设置为需要推断 defaults 的属性。 此外,如果 Client 端注册的密钥与默认支持的提供程序匹配,则 Spring Boot 也会推断这一点。providerspring-doc.cn

换句话说,以下示例中的两个配置使用 Google 提供程序:spring-doc.cn

spring.security.oauth2.client.registration.my-client.client-id=abcd
spring.security.oauth2.client.registration.my-client.client-secret=password
spring.security.oauth2.client.registration.my-client.provider=google
spring.security.oauth2.client.registration.google.client-id=abcd
spring.security.oauth2.client.registration.google.client-secret=password
spring:
  security:
    oauth2:
      client:
        registration:
          my-client:
            client-id: "abcd"
            client-secret: "password"
            provider: "google"
          google:
            client-id: "abcd"
            client-secret: "password"

资源服务器

如果你在 Classpath 上,Spring Boot 可以设置一个 OAuth2 资源服务器。 对于 JWT 配置,需要指定 JWK Set URI 或 OIDC Issuer URI,如以下示例所示:spring-security-oauth2-resource-serverspring-doc.cn

spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://example.com/oauth2/default/v1/keys
spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: "https://example.com/oauth2/default/v1/keys"
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-123456.oktapreview.com/oauth2/default/
spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: "https://dev-123456.oktapreview.com/oauth2/default/"
如果授权服务器不支持 JWK 集 URI,则可以使用用于验证 JWT 签名的公钥来配置资源服务器。 这可以使用 property 来完成,其中值需要指向包含 PEM 编码的 x509 格式的公钥的文件。spring.security.oauth2.resourceserver.jwt.public-key-location

该属性可用于指定 JWT 中 aud 声明的预期值。 例如,要求 JWT 包含值为 :spring.security.oauth2.resourceserver.jwt.audiencesmy-audiencespring-doc.cn

spring.security.oauth2.resourceserver.jwt.audiences[0]=my-audience
spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          audiences:
            - "my-audience"

相同的属性适用于 servlet 和响应式应用程序。 或者,您可以为 servlet 应用程序定义自己的 JwtDecoder bean,或者为响应式应用程序定义 ReactiveJwtDecoderspring-doc.cn

如果使用不透明令牌而不是 JWT,您可以配置以下属性以通过自省验证令牌:spring-doc.cn

spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=https://example.com/check-token
spring.security.oauth2.resourceserver.opaquetoken.client-id=my-client-id
spring.security.oauth2.resourceserver.opaquetoken.client-secret=my-client-secret
spring:
  security:
    oauth2:
      resourceserver:
        opaquetoken:
          introspection-uri: "https://example.com/check-token"
          client-id: "my-client-id"
          client-secret: "my-client-secret"

同样,相同的属性适用于 servlet 和 reactive 应用程序。 或者,您可以为 servlet 应用程序定义自己的 OpaqueTokenIntrospector bean,或者为响应式应用程序定义 ReactiveOpaqueTokenIntrospectorspring-doc.cn

授权服务器

如果你在 Classpath 上,你可以利用一些自动配置来设置基于 Servlet 的 OAuth2 授权服务器。spring-security-oauth2-authorization-serverspring-doc.cn

您可以在前缀下注册多个 OAuth2 客户端,如以下示例所示:spring.security.oauth2.authorizationserver.clientspring-doc.cn

spring.security.oauth2.authorizationserver.client.my-client-1.registration.client-id=abcd
spring.security.oauth2.authorizationserver.client.my-client-1.registration.client-secret={noop}secret1
spring.security.oauth2.authorizationserver.client.my-client-1.registration.client-authentication-methods[0]=client_secret_basic
spring.security.oauth2.authorizationserver.client.my-client-1.registration.authorization-grant-types[0]=authorization_code
spring.security.oauth2.authorizationserver.client.my-client-1.registration.authorization-grant-types[1]=refresh_token
spring.security.oauth2.authorizationserver.client.my-client-1.registration.redirect-uris[0]=https://my-client-1.com/login/oauth2/code/abcd
spring.security.oauth2.authorizationserver.client.my-client-1.registration.redirect-uris[1]=https://my-client-1.com/authorized
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[0]=openid
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[1]=profile
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[2]=email
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[3]=phone
spring.security.oauth2.authorizationserver.client.my-client-1.registration.scopes[4]=address
spring.security.oauth2.authorizationserver.client.my-client-1.require-authorization-consent=true
spring.security.oauth2.authorizationserver.client.my-client-2.registration.client-id=efgh
spring.security.oauth2.authorizationserver.client.my-client-2.registration.client-secret={noop}secret2
spring.security.oauth2.authorizationserver.client.my-client-2.registration.client-authentication-methods[0]=client_secret_jwt
spring.security.oauth2.authorizationserver.client.my-client-2.registration.authorization-grant-types[0]=client_credentials
spring.security.oauth2.authorizationserver.client.my-client-2.registration.scopes[0]=user.read
spring.security.oauth2.authorizationserver.client.my-client-2.registration.scopes[1]=user.write
spring.security.oauth2.authorizationserver.client.my-client-2.jwk-set-uri=https://my-client-2.com/jwks
spring.security.oauth2.authorizationserver.client.my-client-2.token-endpoint-authentication-signing-algorithm=RS256
spring:
  security:
    oauth2:
      authorizationserver:
        client:
          my-client-1:
            registration:
              client-id: "abcd"
              client-secret: "{noop}secret1"
              client-authentication-methods:
                - "client_secret_basic"
              authorization-grant-types:
                - "authorization_code"
                - "refresh_token"
              redirect-uris:
                - "https://my-client-1.com/login/oauth2/code/abcd"
                - "https://my-client-1.com/authorized"
              scopes:
                - "openid"
                - "profile"
                - "email"
                - "phone"
                - "address"
            require-authorization-consent: true
          my-client-2:
            registration:
              client-id: "efgh"
              client-secret: "{noop}secret2"
              client-authentication-methods:
                - "client_secret_jwt"
              authorization-grant-types:
                - "client_credentials"
              scopes:
                - "user.read"
                - "user.write"
            jwk-set-uri: "https://my-client-2.com/jwks"
            token-endpoint-authentication-signing-algorithm: "RS256"
该属性必须采用可由配置的 PasswordEncoder 匹配的格式。 PasswordEncoder 的默认实例是通过 .client-secretPasswordEncoderFactories.createDelegatingPasswordEncoder()

Spring Boot 为 Spring Authorization Server 提供的自动配置旨在快速入门。 大多数应用程序都需要定制,并且希望定义多个 bean 以覆盖自动配置。spring-doc.cn

可以将以下组件定义为 bean 以覆盖特定于 Spring Authorization Server 的自动配置:spring-doc.cn

Spring Boot 自动配置InMemoryRegisteredClientRepository,Spring 授权服务器使用它来管理已注册的客户端。 InMemoryRegisteredClientRepository 的功能有限,我们建议仅将其用于开发环境。 对于 生产环境,请考虑使用JdbcRegisteredClientRepository或创建自己的RegisteredClientRepository实现。

其他信息可以在 Spring Authorization Server Reference GuideGetting Started 章节中找到。spring-doc.cn

SAML 2.0 版本

依赖方

如果您在 Classpath 上,则可以利用一些自动配置来设置 SAML 2.0 依赖方。 此配置使用 Saml2RelyingPartyProperties 下的属性。spring-security-saml2-service-providerspring-doc.cn

信赖方注册表示身份提供程序 (IDP) 和服务提供商 (SP) 之间的配对配置。 您可以在前缀下注册多个信赖方,如以下示例所示:spring.security.saml2.relyingpartyspring-doc.cn

spring.security.saml2.relyingparty.registration.my-relying-party1.signing.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party1.signing.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party1.decryption.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party1.decryption.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party1.singlelogout.url=https://myapp/logout/saml2/slo
spring.security.saml2.relyingparty.registration.my-relying-party1.singlelogout.response-url=https://remoteidp2.slo.url
spring.security.saml2.relyingparty.registration.my-relying-party1.singlelogout.binding=POST
spring.security.saml2.relyingparty.registration.my-relying-party1.assertingparty.verification.credentials[0].certificate-location=path-to-verification-cert
spring.security.saml2.relyingparty.registration.my-relying-party1.assertingparty.entity-id=remote-idp-entity-id1
spring.security.saml2.relyingparty.registration.my-relying-party1.assertingparty.sso-url=https://remoteidp1.sso.url
spring.security.saml2.relyingparty.registration.my-relying-party2.signing.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party2.signing.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party2.decryption.credentials[0].private-key-location=path-to-private-key
spring.security.saml2.relyingparty.registration.my-relying-party2.decryption.credentials[0].certificate-location=path-to-certificate
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.verification.credentials[0].certificate-location=path-to-other-verification-cert
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.entity-id=remote-idp-entity-id2
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.sso-url=https://remoteidp2.sso.url
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.singlelogout.url=https://remoteidp2.slo.url
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.singlelogout.response-url=https://myapp/logout/saml2/slo
spring.security.saml2.relyingparty.registration.my-relying-party2.assertingparty.singlelogout.binding=POST
spring:
  security:
    saml2:
      relyingparty:
        registration:
          my-relying-party1:
            signing:
              credentials:
              - private-key-location: "path-to-private-key"
                certificate-location: "path-to-certificate"
            decryption:
              credentials:
              - private-key-location: "path-to-private-key"
                certificate-location: "path-to-certificate"
            singlelogout:
               url: "https://myapp/logout/saml2/slo"
               response-url: "https://remoteidp2.slo.url"
               binding: "POST"
            assertingparty:
              verification:
                credentials:
                - certificate-location: "path-to-verification-cert"
              entity-id: "remote-idp-entity-id1"
              sso-url: "https://remoteidp1.sso.url"

          my-relying-party2:
            signing:
              credentials:
              - private-key-location: "path-to-private-key"
                certificate-location: "path-to-certificate"
            decryption:
              credentials:
              - private-key-location: "path-to-private-key"
                certificate-location: "path-to-certificate"
            assertingparty:
              verification:
                credentials:
                - certificate-location: "path-to-other-verification-cert"
              entity-id: "remote-idp-entity-id2"
              sso-url: "https://remoteidp2.sso.url"
              singlelogout:
                url: "https://remoteidp2.slo.url"
                response-url: "https://myapp/logout/saml2/slo"
                binding: "POST"

对于 SAML2 注销,默认情况下, Spring Security 的 Saml2LogoutRequestFilterSaml2LogoutResponseFilter 仅处理匹配的 URL。 如果要自定义 AP 发起的注销请求发送到的收件人或 AP 向其发送注销响应的收件人,以使用不同的模式,则需要提供配置来处理该自定义模式。 例如,对于 servlet 应用程序,您可以添加自己的SecurityFilterChain,如下所示:/logout/saml2/slourlresponse-urlspring-doc.cn

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

import static org.springframework.security.config.Customizer.withDefaults;

@Configuration(proxyBeanMethods = false)
public class MySamlRelyingPartyConfiguration {

	@Bean
	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
		http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
		http.saml2Login(withDefaults());
		http.saml2Logout((saml2) -> saml2.logoutRequest((request) -> request.logoutUrl("/SLOService.saml2"))
			.logoutResponse((response) -> response.logoutUrl("/SLOService.saml2")));
		return http.build();
	}

}