Fix parsing of GET SAML logout requests

spring-projects · Oct 16, 2023 · a884a45 · a884a45
1 parent 3422476
commit a884a45
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/...r/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolver.java b/...r/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolver.java
@@ -200,7 +200,7 @@ private Saml2LogoutRequestValidatorParameters logoutRequestByRegistration(HttpSe
 	}
 
 	private String inflateIfRequired(HttpServletRequest request, byte[] b) {
-		if (HttpMethod.GET.equals(request.getMethod())) {
+		if (HttpMethod.GET.matches(request.getMethod())) {
 			return Saml2Utils.samlInflate(b);
 		}
 		return new String(b, StandardCharsets.UTF_8);

diff --git a/...vice/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolverTests.java b/...vice/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolverTests.java
@@ -115,6 +115,21 @@ void saml2LogoutResolveWhenUnauthenticatedThenParameters() {
 		assertThat(parameters.getLogoutRequest().getSamlRequest()).isEqualTo(encoded);
 	}
 
+	@Test
+	void saml2LogoutResolveWhenUnauthenticatedGetRequestThenInflates() {
+		String registrationId = this.registration.getRegistrationId();
+		MockHttpServletRequest request = get("/logout/saml2/slo");
+		String logoutRequest = serialize(TestOpenSamlObjects.logoutRequest());
+		String encoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(logoutRequest));
+		request.setParameter(Saml2ParameterNames.SAML_REQUEST, encoded);
+		given(this.registrations.findUniqueByAssertingPartyEntityId(TestOpenSamlObjects.ASSERTING_PARTY_ENTITY_ID))
+			.willReturn(this.registration);
+		Saml2LogoutRequestValidatorParameters parameters = this.resolver.resolve(request, null);
+		assertThat(parameters.getAuthentication()).isNull();
+		assertThat(parameters.getRelyingPartyRegistration().getRegistrationId()).isEqualTo(registrationId);
+		assertThat(parameters.getLogoutRequest().getSamlRequest()).isEqualTo(encoded);
+	}
+
 	@Test
 	void saml2LogoutRegistrationIdResolveWhenNoMatchingRegistrationIdThenSaml2Exception() {
 		MockHttpServletRequest request = post("/logout/saml2/slo/id");
@@ -129,6 +144,12 @@ private MockHttpServletRequest post(String uri) {
 		return request;
 	}
 
+	private MockHttpServletRequest get(String uri) {
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", uri);
+		request.setServletPath(uri);
+		return request;
+	}
+
 	private String serialize(XMLObject object) {
 		try {
 			Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(object);