Add OpenSaml 4 support #9095
Comments
MichaelVetter
added
status: waiting-for-triage
jzheaux
added
in: saml2
|
Since we'll be supporting Spring Security 5.5 longer than OpenSAML 3 will be supported, it might be better to add support instead of upgrade. |
|
Would be nice to see get this upgraded to OpenSaml 4 in a minor version, if at all possible. CVE scanners are lighting up Santuario/Xmlsec as well as Cryptacular, which are dependencies of OpenSaml. |
|
Would also vote for an update to OpenSaml 4 as the 3.x version are using Apache Velocity 1.7 which is vulnerable by Unfortunately it is not that easy to override the used Apache Velocity 1.7 dependency with a newer 2.3 dependency as there may issues based on the behaviour and API changes mentioned in the release notes. And if someone has good ideas or experience by replacing Velocity 1.7 with the newer 2.3 version in OpenSAML 3.x I'm interested 😉 Edit: Just saw that a PR #9267 is already open 👍 |
|
@jzheaux : Are you sure that it is enough to use Java 11 just for the build and not at runtime (your comment in #9418)? |
|
The latest OpenSAML version 4.1.0 still uses Apache Velocity 2.2 but overriding this with 2.3 should be ok according to the release notes of Velocity. |
|
Hi, @MichaelVetter, sorry that I wasn't clearer on that point. Spring Security's runtime baseline is JDK 8, and it remains that way. However since OpenSAML 4's runtime baseline is JDK 11, an application that uses OpenSAML 4 will need to run with JDK 11. Introducing Spring Security into an application will not require that application to use JDK 11, but introducing OpenSAML 4 will. This is because Spring Security optionally chooses its OpenSAML 3 or OpenSAML 4-compatible implementation by inspecting the OpenSAML version at runtime. For example, if (Version.getVersion().startsWith("4")) {
return new OpenSaml4XYZComponent(...);
} else {
return new OpenSaml3XYZComponent(...);
}
Have you experienced any issues with running JDK 8 + OpenSAML 3 in Spring Security? |
|
@jzheaux: Thank you for the clarification. |
- We don't want to have public top-level classes extending or implementing OpenSAML classes Issue gh-9095
- Produce sources jar - Produce Javadoc jar Issue gh-9095
- To make upgrade passive Issue gh-9095
|
@mibo: It seems that velocity is not needed by spring-security-saml2-service-provider 5.4. The velocity templates for HTTP-POST binding are replaced by this method org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter.createSamlPostRequestFormData(Saml2PostAuthenticationRequest) |
|
@MichaelVetter Thanks a lot for this information. Regarding OpenSaml 4 update it is now that Java >= 11 is required (see d0d0a8d) and the OpenSaml 4 libraries must be provided by ourself (as it is a provided dependency). |
|
Correct, @mibo. |
pac4j-saml-opensamlv3 4.5.2 now has velocity-core-engine v2.3 it is based on Java 8 |
- We don't want to have public top-level classes extending or implementing OpenSAML classes Issue spring-projectsgh-9095
- Produce sources jar - Produce Javadoc jar Issue spring-projectsgh-9095
- To make upgrade passive Issue spring-projectsgh-9095
|
Can someone please at least add a note to the fact that Java 11 is required to use the spring-security-saml2-service-provider module? It took me many hours to track this down. If not in the main documentation, at least add a line in the spring-security-sample/servlet/java-configuration/saml2/login project. |
Please upgrade to OpenSaml 4 libraries. Currently the latest version in the Shibboleth repository is 4.0.1.
OpenSaml 3 will reach EOL soon and depends on some library versions with security issues:
https://shibboleth.1660669.n2.nabble.com/Security-issue-on-Java-OpenSaml-Library-td7646686.html
Furthermore the dependencies of OpenSaml have been cleaned up:
https://issues.shibboleth.net/jira/browse/OSJ-264
Maybe you could exclude even more transitive dependencies that are not necessary for spring-security-saml.
The text was updated successfully, but these errors were encountered: