I have a unique scenario that I am trying to resolve within the limitations of the Spring Security plugin (version 1.2.7.3 if it is currious). I created a custom SSO plugin that allows you to login with a signed URL. The custom plugin works fine, and I added as per the documentation, creating beans in resources.groovy and adding to the filter chain in BootStrap.groovy.
SpringSecurityUtils.clientRegisterFilter('ssoFilter', SecurityFilterPosition.SECURITY_CONTEXT_FILTER.order + 10)
Once the user has signed everything, everything works fine, and an existing active session that has been added to the security context authenticates the user.
I have a use case when it is possible that a user who has already authenticated can return to the same browser (i.e. the same session cookie) with another user at the request of SSO. I would like the filter chain to notice "sso = true" in the URL query string.
The behavior that I see now is that SSO is never achieved because the original user is already authenticated by the security context. I cannot add an SSO filter before the SecurityContextPersistenceFilter , as this causes problems where the SSO filter constantly gets in and nothing is actually displayed. This follows the documents in which I saw that you should not place filters in front of the security context filter.
I learned how to create a custom filter chain specifically for URLs with "sso = true" (something I do during a non-authenticated stream by adding a custom RequestMatcher and AuthenticationEntryPoint implementation of DelegatingAuthenticationEntryPoint ) using the springsecurity.filterChain.chainMap configuration. However, it can be seen from the documents and experiments that only the path is filtered.
Is there a way to ensure that whenever "sso = true" is displayed in the URL, that the SSO filter is hit when available in the security context, or that the SecurityContextPersistenceFilter can go through the request for the SSO filter?
Scott source share