Skip to content

Fix #8693 Support SAML 2.0 SP Metadata Endpoints #8795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 7 commits into from
Closed

Fix #8693 Support SAML 2.0 SP Metadata Endpoints #8795

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
89e48df
Fix #8693 Support SAML 2.0 SP Metadata Endpoints
jkubrynski Jun 30, 2020
d4e6701
Fixes after code review
jkubrynski Jul 11, 2020
aeabf06
Restrict mockito to 3.3.+
eleftherias Jul 13, 2020
08670aa
Add Kotlin WebFlux header configuration to docs
eleftherias Jul 14, 2020
9f0e8eb
Set RSocket version to Snapshot in snapshot build
eleftherias Jul 14, 2020
aec89c3
Checkstyle fixes
jkubrynski Jul 14, 2020
6fefb2d
Fixes after code review #3
jkubrynski Jul 15, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Jenkinsfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ try {
"GRADLE_ENTERPRISE_CACHE_USERNAME=${GRADLE_ENTERPRISE_CACHE_USERNAME}",
"GRADLE_ENTERPRISE_CACHE_PASSWORD=${GRADLE_ENTERPRISE_CACHE_PASSWORD}",
"GRADLE_ENTERPRISE_ACCESS_KEY=${GRADLE_ENTERPRISE_ACCESS_KEY}"]) {
sh "./gradlew test -PforceMavenRepositories=snapshot -PspringVersion='5.+' -PreactorVersion=20+ -PspringDataVersion=Lovelace-BUILD-SNAPSHOT -PlocksDisabled --stacktrace"
sh "./gradlew test -PforceMavenRepositories=snapshot -PspringVersion='5.+' -PreactorVersion=20+ -PspringDataVersion=Lovelace-BUILD-SNAPSHOT -PrsocketVersion=1.1.0-SNAPSHOT -PlocksDisabled --stacktrace"
}
}
} catch(Exception e) {
Expand Down
3 changes: 3 additions & 0 deletions ...in/java/org/springframework/security/config/annotation/web/builders/FilterComparator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,9 @@ final class FilterComparator implements Comparator<Filter>, Serializable {
filterToOrder.put(
"org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter",
order.next());
filterToOrder.put(
"org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter",
order.next());
filterToOrder.put(
"org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter",
order.next());
Expand Down
30 changes: 28 additions & 2 deletions ...pringframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,11 @@
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter;
import org.springframework.security.saml2.provider.service.web.OpenSamlMetadataResolver;
import org.springframework.security.saml2.provider.service.web.Saml2MetadataResolver;
import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
Expand Down Expand Up @@ -103,10 +106,14 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>> extend

private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;

private Saml2MetadataResolver saml2MetadataResolver;

private AuthenticationManager authenticationManager;

private Saml2WebSsoAuthenticationFilter saml2WebSsoAuthenticationFilter;

private Saml2MetadataFilter saml2MetadataFilter;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems a little odd to provide this as part of saml2Login(). For now, let's leave it out of the DSL as an application can add the filter directly with addFilter

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Entity ID patterns used as defaults across spring-security-saml map to the URL, which for me suggest this URL should be available without any external configuration. Why do you think it's odd?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you think it's odd?

Because saml2Login() indicates an authentication mechanism, so it should only contain filters related to that.

For example, saml2Login() isn't the place to configure SAML logout.

without any external configuration

Can you elaborate on this point? What I'm suggesting is that an application do:

http
    .saml2Login(saml2 -> {})
    .addFilter(new Saml2MetadataFilter(new OpenSamlMetadataResolver()));

which already seems simple.


/**
* Allows a configuration of a {@link AuthenticationManager} to be used during SAML 2 authentication.
* If none is specified, the system will create one inject it into the {@link Saml2WebSsoAuthenticationFilter}
Expand All @@ -133,6 +140,16 @@ public Saml2LoginConfigurer relyingPartyRegistrationRepository(RelyingPartyRegis
return this;
}

/**
* Sets the {@code Saml2MetadataResolver}
* @param saml2MetadataResolver the implementation of the metadata resolver
* @return the {@link Saml2LoginConfigurer} for further configuration
*/
public Saml2LoginConfigurer saml2MetadataResolver(Saml2MetadataResolver saml2MetadataResolver) {
this.saml2MetadataResolver = saml2MetadataResolver;
return this;
}

/**
* {@inheritDoc}
*/
Expand Down Expand Up @@ -190,6 +207,14 @@ public void init(B http) throws Exception {
setAuthenticationFilter(saml2WebSsoAuthenticationFilter);
super.loginProcessingUrl(this.loginProcessingUrl);

if (this.saml2MetadataResolver == null) {
this.saml2MetadataResolver = new OpenSamlMetadataResolver();
}

saml2MetadataFilter = new Saml2MetadataFilter(
this.relyingPartyRegistrationRepository, this.saml2MetadataResolver
);

if (hasText(this.loginPage)) {
// Set custom login page
super.loginPage(this.loginPage);
Expand Down Expand Up @@ -229,6 +254,7 @@ public void init(B http) throws Exception {
@Override
public void configure(B http) throws Exception {
http.addFilter(this.authenticationRequestEndpoint.build(http));
http.addFilter(saml2MetadataFilter);
super.configure(http);
if (this.authenticationManager == null) {
registerDefaultAuthenticationProvider(http);
Expand Down
4 changes: 2 additions & 2 deletions ...framework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,8 @@
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter;
import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestContextResolver;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.context.HttpRequestResponseHolder;
Expand Down
2 changes: 1 addition & 1 deletion config/src/test/kotlin/org/springframework/security/config/web/servlet/Saml2DslTests.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ import org.springframework.security.saml2.credentials.Saml2X509Credential
import org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.VERIFICATION
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter
import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationFilter
import org.springframework.test.web.servlet.MockMvc
import org.springframework.test.web.servlet.get
import java.security.cert.Certificate
Expand Down
Loading