Move Saml2 Authentication Filters

Issue gh-8819

config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java

@@ -85,15 +85,15 @@ final class FilterOrderRegistration {
 				"org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter",
 				order.next());
 		this.filterToOrder.put(
-				"org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter",
+				"org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter",
 				order.next());
 		put(X509AuthenticationFilter.class, order.next());
 		put(AbstractPreAuthenticatedProcessingFilter.class, order.next());
 		this.filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter", order.next());
 		this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter",
 				order.next());
 		this.filterToOrder.put(
-				"org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter",
+				"org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter",
 				order.next());
 		put(UsernamePasswordAuthenticationFilter.class, order.next());
 		order.next(); // gh-8105

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -37,16 +37,16 @@
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
-import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
-import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter;
 import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.DefaultSaml2AuthenticationRequestContextResolver;
 import org.springframework.security.saml2.provider.service.web.HttpSessionSaml2AuthenticationRequestRepository;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestContextResolver;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
+import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
 import org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver;
+import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;

config/src/main/java/org/springframework/security/config/http/Saml2LoginBeanDefinitionParser.java

@@ -39,8 +39,8 @@
 import org.springframework.security.config.Elements;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
-import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
-import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter;
+import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
+import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java

@@ -87,14 +87,14 @@
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations;
-import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
 import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestContextResolver;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
 import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
 import org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver;
+import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.AuthenticationConverter;

config/src/test/kotlin/org/springframework/security/config/web/servlet/Saml2DslTests.kt

@@ -41,7 +41,7 @@ import org.springframework.security.saml2.provider.service.registration.InMemory
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository
 import org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations
-import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter
+import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter
 import org.springframework.test.web.servlet.MockMvc
 import org.springframework.test.web.servlet.get
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationToken.java

@@ -22,6 +22,7 @@
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.saml2.credentials.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
 import org.springframework.util.Assert;
 
 /**
@@ -44,9 +45,8 @@ public class Saml2AuthenticationToken extends AbstractAuthenticationToken {
 	 * Creates a {@link Saml2AuthenticationToken} with the provided parameters.
 	 *
 	 * Note that the given {@link RelyingPartyRegistration} should have all its templates
-	 * resolved at this point. See
-	 * {@link org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter}
-	 * for an example of performing that resolution.
+	 * resolved at this point. See {@link Saml2WebSsoAuthenticationFilter} for an example
+	 * of performing that resolution.
 	 * @param relyingPartyRegistration the resolved {@link RelyingPartyRegistration} to
 	 * use
 	 * @param saml2Response the SAML 2.0 response to authenticate
@@ -68,9 +68,8 @@ public Saml2AuthenticationToken(RelyingPartyRegistration relyingPartyRegistratio
 	 * Creates a {@link Saml2AuthenticationToken} with the provided parameters
 	 *
 	 * Note that the given {@link RelyingPartyRegistration} should have all its templates
-	 * resolved at this point. See
-	 * {@link org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter}
-	 * for an example of performing that resolution.
+	 * resolved at this point. See {@link Saml2WebSsoAuthenticationFilter} for an example
+	 * of performing that resolution.
 	 * @param relyingPartyRegistration the resolved {@link RelyingPartyRegistration} to
 	 * use
 	 * @param saml2Response the SAML 2.0 response to authenticate

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilter.java

@@ -16,130 +16,30 @@
 
 package org.springframework.security.saml2.provider.service.servlet.filter;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.springframework.security.authentication.AbstractAuthenticationToken;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.saml2.core.Saml2Error;
-import org.springframework.security.saml2.core.Saml2ErrorCodes;
-import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
-import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
-import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
-import org.springframework.security.saml2.provider.service.web.HttpSessionSaml2AuthenticationRequestRepository;
-import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
-import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository;
-import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
-import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.AuthenticationConverter;
-import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
-import org.springframework.util.Assert;
 
 /**
  * @since 5.2
+ * @deprecated Use
+ * {@link org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter}
+ * instead
  */
-public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
-
-	public static final String DEFAULT_FILTER_PROCESSES_URI = "/login/saml2/sso/{registrationId}";
-
-	private final AuthenticationConverter authenticationConverter;
-
-	private Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> authenticationRequestRepository = new HttpSessionSaml2AuthenticationRequestRepository();
+@Deprecated
+public class Saml2WebSsoAuthenticationFilter
+		extends org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter {
 
-	/**
-	 * Creates a {@code Saml2WebSsoAuthenticationFilter} authentication filter that is
-	 * configured to use the {@link #DEFAULT_FILTER_PROCESSES_URI} processing URL
-	 * @param relyingPartyRegistrationRepository - repository of configured SAML 2
-	 * entities. Required.
-	 */
 	public Saml2WebSsoAuthenticationFilter(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
-		this(relyingPartyRegistrationRepository, DEFAULT_FILTER_PROCESSES_URI);
+		super(relyingPartyRegistrationRepository);
 	}
 
-	/**
-	 * Creates a {@code Saml2WebSsoAuthenticationFilter} authentication filter
-	 * @param relyingPartyRegistrationRepository - repository of configured SAML 2
-	 * entities. Required.
-	 * @param filterProcessesUrl the processing URL, must contain a {registrationId}
-	 * variable. Required.
-	 */
 	public Saml2WebSsoAuthenticationFilter(RelyingPartyRegistrationRepository relyingPartyRegistrationRepository,
 			String filterProcessesUrl) {
-		this(new Saml2AuthenticationTokenConverter(
-				(RelyingPartyRegistrationResolver) new DefaultRelyingPartyRegistrationResolver(
-						relyingPartyRegistrationRepository)),
-				filterProcessesUrl);
-		Assert.isTrue(filterProcessesUrl.contains("{registrationId}"),
-				"filterProcessesUrl must contain a {registrationId} match variable");
+		super(relyingPartyRegistrationRepository, filterProcessesUrl);
 	}
 
-	/**
-	 * Creates a {@link Saml2WebSsoAuthenticationFilter} given the provided parameters
-	 * @param authenticationConverter the strategy for converting an
-	 * {@link HttpServletRequest} into an {@link Authentication}
-	 * @param filterProcessesUrl the processing URL
-	 * @since 5.4
-	 */
 	public Saml2WebSsoAuthenticationFilter(AuthenticationConverter authenticationConverter, String filterProcessesUrl) {
-		super(filterProcessesUrl);
-		Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
-		Assert.hasText(filterProcessesUrl, "filterProcessesUrl must contain a URL pattern");
-		this.authenticationConverter = authenticationConverter;
-		setAllowSessionCreation(true);
-		setSessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy());
-	}
-
-	@Override
-	protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
-		return super.requiresAuthentication(request, response);
-	}
-
-	@Override
-	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
-			throws AuthenticationException {
-		Authentication authentication = this.authenticationConverter.convert(request);
-		if (authentication == null) {
-			Saml2Error saml2Error = new Saml2Error(Saml2ErrorCodes.RELYING_PARTY_REGISTRATION_NOT_FOUND,
-					"No relying party registration found");
-			throw new Saml2AuthenticationException(saml2Error);
-		}
-		setDetails(request, authentication);
-		this.authenticationRequestRepository.removeAuthenticationRequest(request, response);
-		return getAuthenticationManager().authenticate(authentication);
-	}
-
-	/**
-	 * Use the given {@link Saml2AuthenticationRequestRepository} to remove the saved
-	 * authentication request. If the {@link #authenticationConverter} is of the type
-	 * {@link Saml2AuthenticationTokenConverter}, the
-	 * {@link Saml2AuthenticationRequestRepository} will also be set into the
-	 * {@link #authenticationConverter}.
-	 * @param authenticationRequestRepository the
-	 * {@link Saml2AuthenticationRequestRepository} to use
-	 * @since 5.6
-	 */
-	public void setAuthenticationRequestRepository(
-			Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> authenticationRequestRepository) {
-		Assert.notNull(authenticationRequestRepository, "authenticationRequestRepository cannot be null");
-		this.authenticationRequestRepository = authenticationRequestRepository;
-		setAuthenticationRequestRepositoryIntoAuthenticationConverter(authenticationRequestRepository);
-	}
-
-	private void setAuthenticationRequestRepositoryIntoAuthenticationConverter(
-			Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> authenticationRequestRepository) {
-		if (this.authenticationConverter instanceof Saml2AuthenticationTokenConverter) {
-			Saml2AuthenticationTokenConverter authenticationTokenConverter = (Saml2AuthenticationTokenConverter) this.authenticationConverter;
-			authenticationTokenConverter.setAuthenticationRequestRepository(authenticationRequestRepository);
-		}
-	}
-
-	private void setDetails(HttpServletRequest request, Authentication authentication) {
-		if (AbstractAuthenticationToken.class.isAssignableFrom(authentication.getClass())) {
-			Object details = this.authenticationDetailsSource.buildDetails(request);
-			((AbstractAuthenticationToken) authentication).setDetails(details);
-		}
+		super(authenticationConverter, filterProcessesUrl);
 	}
 
 }