NIFI-11554 Upgraded OpenSAML from 3.4.6 to 4.3.0

- Added Shibboleth repository for OpenSAML
- Replaced deprecated OpenSAML 3 Spring Security components with OpenSAML 4

Signed-off-by: Pierre Villard <pierre.villard.fr@gmail.com>

This closes #7251.
This commit is contained in:
exceptionfactory 2023-05-15 21:40:56 -05:00 committed by Pierre Villard
parent 3051b69a6c
commit 8ebecdc3ab
No known key found for this signature in database
GPG Key ID: F92A93B30C07C6D5
4 changed files with 52 additions and 27 deletions

View File

@ -45,7 +45,7 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest; import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
import org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider; import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutRequestValidator; import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutRequestValidator;
import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutResponseValidator; import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutResponseValidator;
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator; import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator;
@ -55,16 +55,16 @@ import org.springframework.security.saml2.provider.service.metadata.Saml2Metadat
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository; import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter; import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter; import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver; import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository; import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository;
import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter; import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter; import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;
import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml3AuthenticationRequestResolver; import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver; import org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml3LogoutRequestResolver; import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutRequestResolver;
import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml3LogoutResponseResolver; import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutResponseResolver;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestFilter; import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestFilter;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestRepository; import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestRepository;
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver; import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver;
@ -218,26 +218,24 @@ public class SamlAuthenticationSecurityConfiguration {
/** /**
* Spring Security OpenSAML Authentication Provider for processing SAML 2 login responses * Spring Security OpenSAML Authentication Provider for processing SAML 2 login responses
* *
* @return OpenSAML 3 Authentication Provider required for compatibility with Java 8 * @return OpenSAML 4 Authentication Provider compatible with Java 11
*/ */
@SuppressWarnings("deprecation")
@Bean @Bean
public OpenSamlAuthenticationProvider openSamlAuthenticationProvider() { public OpenSaml4AuthenticationProvider openSamlAuthenticationProvider() {
final OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); final OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
final ResponseAuthenticationConverter responseAuthenticationConverter = new ResponseAuthenticationConverter(properties.getSamlGroupAttributeName()); final ResponseAuthenticationConverter responseAuthenticationConverter = new ResponseAuthenticationConverter(properties.getSamlGroupAttributeName());
provider.setResponseAuthenticationConverter(responseAuthenticationConverter); provider.setResponseAuthenticationConverter(responseAuthenticationConverter);
return provider; return provider;
} }
/** /**
* Spring Security SAML 2 Authentication Request Resolver uses OpenSAML 3 for compatibility with Java 8 * Spring Security SAML 2 Authentication Request Resolver uses OpenSAML 4
* *
* @return OpenSAML 3 version of SAML 2 Authentication Request Resolver * @return OpenSAML 4 version of SAML 2 Authentication Request Resolver
*/ */
@SuppressWarnings("deprecation")
@Bean @Bean
public Saml2AuthenticationRequestResolver saml2AuthenticationRequestResolver() { public Saml2AuthenticationRequestResolver saml2AuthenticationRequestResolver() {
return new OpenSaml3AuthenticationRequestResolver(relyingPartyRegistrationResolver()); return new OpenSaml4AuthenticationRequestResolver(relyingPartyRegistrationResolver());
} }
/** /**
@ -261,25 +259,23 @@ public class SamlAuthenticationSecurityConfiguration {
} }
/** /**
* Spring Security SAML 2 Logout Request Resolver uses OpenSAML 3 for compatibility with Java 8 * Spring Security SAML 2 Logout Request Resolver uses OpenSAML 4
* *
* @return OpenSAML 3 version of SAML 2 Logout Request Resolver * @return OpenSAML 4 version of SAML 2 Logout Request Resolver
*/ */
@SuppressWarnings("deprecation")
@Bean @Bean
public Saml2LogoutRequestResolver saml2LogoutRequestResolver() { public Saml2LogoutRequestResolver saml2LogoutRequestResolver() {
return new OpenSaml3LogoutRequestResolver(relyingPartyRegistrationResolver()); return new OpenSaml4LogoutRequestResolver(relyingPartyRegistrationResolver());
} }
/** /**
* Spring Security SAML 2 Logout Response Resolver uses OpenSAML 3 for compatibility with Java 8 * Spring Security SAML 2 Logout Response Resolver uses OpenSAML 4
* *
* @return OpenSAML 3 version of SAML 2 Logout Response Resolver * @return OpenSAML 4 version of SAML 2 Logout Response Resolver
*/ */
@SuppressWarnings("deprecation")
@Bean @Bean
public Saml2LogoutResponseResolver saml2LogoutResponseResolver() { public Saml2LogoutResponseResolver saml2LogoutResponseResolver() {
return new OpenSaml3LogoutResponseResolver(relyingPartyRegistrationResolver()); return new OpenSaml4LogoutResponseResolver(relyingPartyRegistrationResolver());
} }
/** /**

View File

@ -70,7 +70,7 @@ public class StandardSaml2CredentialProvider implements Saml2CredentialProvider
try { try {
return keyStore.getKey(alias, keyPassword); return keyStore.getKey(alias, keyPassword);
} catch (final GeneralSecurityException e) { } catch (final GeneralSecurityException e) {
throw new Saml2Exception(String.format("Loading Key [%s] failed", alias)); throw new Saml2Exception(String.format("Loading Key [%s] failed", alias), e);
} }
} }

View File

@ -24,8 +24,8 @@ import org.opensaml.saml.saml2.core.Assertion;
import org.springframework.core.convert.converter.Converter; import org.springframework.core.convert.converter.Converter;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider; import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
import org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken; import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal; import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication; import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
@ -39,8 +39,7 @@ import java.util.stream.Collectors;
* Converter from SAML 2 Response Token to SAML 2 Authentication for Spring Security * Converter from SAML 2 Response Token to SAML 2 Authentication for Spring Security
*/ */
public class ResponseAuthenticationConverter implements Converter<ResponseToken, Saml2Authentication> { public class ResponseAuthenticationConverter implements Converter<ResponseToken, Saml2Authentication> {
@SuppressWarnings("deprecation") private static final Converter<ResponseToken, Saml2Authentication> defaultConverter = OpenSaml4AuthenticationProvider.createDefaultResponseAuthenticationConverter();
private static final Converter<ResponseToken, Saml2Authentication> defaultConverter = OpenSamlAuthenticationProvider.createDefaultResponseAuthenticationConverter();
private final String groupAttributeName; private final String groupAttributeName;

View File

@ -25,6 +25,7 @@
<properties> <properties>
<curator.version>5.5.0</curator.version> <curator.version>5.5.0</curator.version>
<tika.version>2.8.0</tika.version> <tika.version>2.8.0</tika.version>
<org.opensaml.version>4.3.0</org.opensaml.version>
</properties> </properties>
<modules> <modules>
<module>nifi-framework</module> <module>nifi-framework</module>
@ -33,6 +34,19 @@
<module>nifi-headless-server-nar</module> <module>nifi-headless-server-nar</module>
<module>nifi-framework-external-resource-utils</module> <module>nifi-framework-external-resource-utils</module>
</modules> </modules>
<repositories>
<!-- Shibboleth Repository required for OpenSAML -->
<repository>
<id>shibboleth</id>
<url>https://build.shibboleth.net/nexus/content/repositories/releases/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
<dependencyManagement> <dependencyManagement>
<dependencies> <dependencies>
<dependency> <dependency>
@ -425,6 +439,22 @@
<artifactId>spring-security-kerberos-core</artifactId> <artifactId>spring-security-kerberos-core</artifactId>
<version>1.0.1.RELEASE</version> <version>1.0.1.RELEASE</version>
</dependency> </dependency>
<!-- Override OpenSAML to version 4 for Spring Security SAML -->
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-core</artifactId>
<version>${org.opensaml.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-saml-api</artifactId>
<version>${org.opensaml.version}</version>
</dependency>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-saml-impl</artifactId>
<version>${org.opensaml.version}</version>
</dependency>
<!-- Override xmlsec from spring-security-saml2-service-provider --> <!-- Override xmlsec from spring-security-saml2-service-provider -->
<dependency> <dependency>
<groupId>org.apache.santuario</groupId> <groupId>org.apache.santuario</groupId>