Saml2WebSsoAuthenticationRequestFilter should not use OpenSamlAuthenticationRequestFactory by default #8359
Description
If Saml2WebSsoAuthenticationRequestFilter uses OpenSamlAuthenticationRequestFactory by default, then Spring Security is dependent on OpenSAML even if the application implements their own Saml2AuthenticationRequestFactory and AuthenticationProvider.
Instead, the constructor should require a Saml2AuthenticationRequestFactory.
Note that this behavior can be verified by creating a project that uses spring-security-saml2-service-provider, excludes the OpenSAML dependencies, and simply constructs a Saml2WebSsoAuthenticationRequestFilter in the main method:
public static void main(String[] args) {
RelyingPartyRegistrationRepository repository = id -> null;
Saml2AuthenticationRequestFactory factory = request -> null;
Saml2WebSsoAuthenticationRequestFilter filter =
new Saml2WebSsoAuthenticationRequestFilter(repository); // throws ClassNotFoundException
filter.setAuthenticationRequestFactory(factory);
}