Add saml2-login java-configuration sample

Issue gh-10
2021-10-21 11:56:31 -03:00 · 2021-10-21 11:56:31 -03:00 · 313dbd7a18
parent b48c07d36d
commit 313dbd7a18
21 changed files with 899 additions and 1 deletions
--- a/README.adoc
+++ b/README.adoc
@ -42,7 +42,7 @@ Samples for https://github.com/spring-projects/spring-security
 === SAML 2.0
-* https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/saml2/login[Login & Logout]
+* Login & Logout - https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/saml2/login[Spring Boot] | https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/saml2/login[Java Configuration]
 === Authentication
--- a/servlet/java-configuration/saml2/login/README.adoc
+++ b/servlet/java-configuration/saml2/login/README.adoc
@ -0,0 +1,50 @@
 = SAML 2.0 Login & Logout Sample
 This guide provides instructions on setting up this SAML 2.0 Login & Logout sample application.
 It uses https://simplesamlphp.org/[SimpleSAMLphp] as its asserting party.
 The sample application uses Spring Boot and the `spring-security-saml2-service-provider`
 module which is new in Spring Security 5.2.
 The https://docs.spring.io/spring-security/site/docs/5.6.0-SNAPSHOT/reference/html5/#servlet-saml2login-logout[SAML 2.0 Logout feature] is new in Spring Security 5.6.
 == Goals
 === SAML 2.0 Login
 `saml2Login()` provides a very simple implementation of a Service Provider that can receive a SAML 2.0 Response via the HTTP-POST and HTTP-REDIRECT bindings against the SimpleSAMLphp SAML 2.0 reference implementation.
 The following features are implemented in the MVP:
 1. Receive and validate a SAML 2.0 Response containing an assertion, and create a corresponding authentication in Spring Security
 2. Send a SAML 2.0 AuthNRequest to an Identity Provider
 3. Provide a framework for components used in SAML 2.0 authentication that can be swapped by configuration
 4. Work against the SimpleSAMLphp reference implementation
 === SAML 2.0 Single Logout
 `saml2Logout()` supports RP- and AP-initiated SAML 2.0 Single Logout via the HTTP-POST and HTTP-REDIRECT bindings against the SimpleSAMLphp SAML 2.0 reference implementation.
 On this sample, the SAML 2.0 Logout is using the HTTP-POST binding.
 You can refer to the https://docs.spring.io/spring-security/site/docs/5.6.0-SNAPSHOT/reference/html5/#servlet-saml2login-logout[reference documentation] for more details about the RP- and AP-initiated SAML 2.0 Logout.
 == Run the Sample
 === Start up the application
 You should run the application war in a servlet container like Tomcat
 === Open a Browser
 http://localhost:8080/
 You will be redirect to the SimpleSAMLphp IDP
 === Type in your credentials
 ```
 User: user
 Password: password
 ```
--- a/servlet/java-configuration/saml2/login/build.gradle
+++ b/servlet/java-configuration/saml2/login/build.gradle
@ -0,0 +1,66 @@
 /*
 * Copyright 2021 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 plugins {
 	id "java"
 	id "nebula.integtest" version "8.2.0"
 	id "org.gretty" version "3.0.6"
 	id "war"
 }
 apply from: "gradle/gretty.gradle"
 repositories {
 	jcenter()
 	maven { url "https://repo.spring.io/snapshot" }
 	maven { url "https://build.shibboleth.net/nexus/content/repositories/releases/" }
 }
 dependencies {
 	constraints {
 		implementation "org.opensaml:opensaml-core:4.1.1"
 		implementation "org.opensaml:opensaml-saml-api:4.1.1"
 		implementation "org.opensaml:opensaml-saml-impl:4.1.1"
 	}
 	implementation platform("org.springframework:spring-framework-bom:5.3.11")
 	implementation platform("org.springframework.security:spring-security-bom:5.6.0-SNAPSHOT")
 	implementation platform("org.junit:junit-bom:5.7.0")
 	implementation "org.springframework.security:spring-security-config"
 	implementation "org.springframework.security:spring-security-web"
 	implementation "org.springframework:spring-webmvc"
 	implementation "org.springframework.security:spring-security-saml2-service-provider"
 	implementation "javax.servlet.jsp.jstl:javax.servlet.jsp.jstl-api:1.2.2"
 	implementation "org.apache.taglibs:taglibs-standard-jstlel:1.2.5"
 	implementation "org.thymeleaf:thymeleaf-spring5:3.0.11.RELEASE"
 	implementation "org.thymeleaf.extras:thymeleaf-extras-springsecurity5:3.0.4.RELEASE"
 	providedCompile "javax.servlet:javax.servlet-api:4.0.1"
 	providedCompile "javax.servlet.jsp:javax.servlet.jsp-api:2.3.3"
 	testImplementation "org.assertj:assertj-core:3.18.0"
 	testImplementation "org.springframework:spring-test"
 	testImplementation "org.springframework.security:spring-security-test"
 	testImplementation("org.junit.jupiter:junit-jupiter-api")
 	testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine")
 	integTestImplementation "org.seleniumhq.selenium:htmlunit-driver:2.44.0"
 }
 tasks.withType(Test).configureEach {
 	useJUnitPlatform()
 }
--- a/servlet/java-configuration/saml2/login/gradle/gretty.gradle
+++ b/servlet/java-configuration/saml2/login/gradle/gretty.gradle
@ -0,0 +1,41 @@
 gretty {
 	servletContainer = "tomcat9"
 	contextPath = "/"
 	fileLogEnabled = false
 	integrationTestTask = 'integrationTest'
 }
 Task prepareAppServerForIntegrationTests = project.tasks.create('prepareAppServerForIntegrationTests') {
 	group = 'Verification'
 	description = 'Prepares the app server for integration tests'
 	doFirst {
 		project.gretty {
 			httpPort = -1
 		}
 	}
 }
 project.tasks.matching { it.name == "appBeforeIntegrationTest" }.all { task ->
 	task.dependsOn prepareAppServerForIntegrationTests
 }
 project.tasks.matching { it.name == "integrationTest" }.all {
 	task -> task.doFirst {
 		def gretty = project.gretty
 		String host = project.gretty.host ?: 'localhost'
 		boolean isHttps = gretty.httpsEnabled
 		Integer httpPort = integrationTest.systemProperties['gretty.httpPort']
 		Integer httpsPort = integrationTest.systemProperties['gretty.httpsPort']
 		int port = isHttps ? httpsPort : httpPort
 		String contextPath = project.gretty.contextPath
 		String httpBaseUrl = "http://${host}:${httpPort}${contextPath}"
 		String httpsBaseUrl = "https://${host}:${httpsPort}${contextPath}"
 		String baseUrl = isHttps ? httpsBaseUrl : httpBaseUrl
 		integrationTest.systemProperty 'app.port', port
 		integrationTest.systemProperty 'app.httpPort', httpPort
 		integrationTest.systemProperty 'app.httpsPort', httpsPort
 		integrationTest.systemProperty 'app.baseURI', baseUrl
 		integrationTest.systemProperty 'app.httpBaseURI', httpBaseUrl
 		integrationTest.systemProperty 'app.httpsBaseURI', httpsBaseUrl
 	}
 }
--- a/servlet/java-configuration/saml2/login/gradle/wrapper/gradle-wrapper.jar
+++ b/servlet/java-configuration/saml2/login/gradle/wrapper/gradle-wrapper.jar
--- a/servlet/java-configuration/saml2/login/gradle/wrapper/gradle-wrapper.properties
+++ b/servlet/java-configuration/saml2/login/gradle/wrapper/gradle-wrapper.properties
@ -0,0 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 distributionUrl=https\://services.gradle.org/distributions/gradle-7.2-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
--- a/servlet/java-configuration/saml2/login/gradlew
+++ b/servlet/java-configuration/saml2/login/gradlew
@ -0,0 +1,185 @@
 #!/usr/bin/env sh
 #
 # Copyright 2015 the original author or authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 ##############################################################################
 ##
 ##  Gradle start up script for UN*X
 ##
 ##############################################################################
 # Attempt to set APP_HOME
 # Resolve links: $0 may be a link
 PRG="$0"
 # Need this for relative symlinks.
 while [ -h "$PRG" ] ; do
    ls=`ls -ld "$PRG"`
    link=`expr "$ls" : '.*-> \(.*\)$'`
    if expr "$link" : '/.*' > /dev/null; then
        PRG="$link"
    else
        PRG=`dirname "$PRG"`"/$link"
    fi
 done
 SAVED="`pwd`"
 cd "`dirname \"$PRG\"`/" >/dev/null
 APP_HOME="`pwd -P`"
 cd "$SAVED" >/dev/null
 APP_NAME="Gradle"
 APP_BASE_NAME=`basename "$0"`
 # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD="maximum"
 warn () {
    echo "$*"
 }
 die () {
    echo
    echo "$*"
    echo
    exit 1
 }
 # OS specific support (must be 'true' or 'false').
 cygwin=false
 msys=false
 darwin=false
 nonstop=false
 case "`uname`" in
  CYGWIN* )
    cygwin=true
    ;;
  Darwin* )
    darwin=true
    ;;
  MINGW* )
    msys=true
    ;;
  NONSTOP* )
    nonstop=true
    ;;
 esac
 CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 # Determine the Java command to use to start the JVM.
 if [ -n "$JAVA_HOME" ] ; then
    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
        # IBM's JDK on AIX uses strange locations for the executables
        JAVACMD="$JAVA_HOME/jre/sh/java"
    else
        JAVACMD="$JAVA_HOME/bin/java"
    fi
    if [ ! -x "$JAVACMD" ] ; then
        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
    fi
 else
    JAVACMD="java"
    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
 fi
 # Increase the maximum file descriptors if we can.
 if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
    MAX_FD_LIMIT=`ulimit -H -n`
    if [ $? -eq 0 ] ; then
        if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
            MAX_FD="$MAX_FD_LIMIT"
        fi
        ulimit -n $MAX_FD
        if [ $? -ne 0 ] ; then
            warn "Could not set maximum file descriptor limit: $MAX_FD"
        fi
    else
        warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
    fi
 fi
 # For Darwin, add options to specify how the application appears in the dock
 if $darwin; then
    GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
 fi
 # For Cygwin or MSYS, switch paths to Windows format before running java
 if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
    APP_HOME=`cygpath --path --mixed "$APP_HOME"`
    CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
    JAVACMD=`cygpath --unix "$JAVACMD"`
    # We build the pattern for arguments to be converted via cygpath
    ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
    SEP=""
    for dir in $ROOTDIRSRAW ; do
        ROOTDIRS="$ROOTDIRS$SEP$dir"
        SEP="|"
    done
    OURCYGPATTERN="(^($ROOTDIRS))"
    # Add a user-defined pattern to the cygpath arguments
    if [ "$GRADLE_CYGPATTERN" != "" ] ; then
        OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
    fi
    # Now convert the arguments - kludge to limit ourselves to /bin/sh
    i=0
    for arg in "$@" ; do
        CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
        CHECK2=`echo "$arg"|egrep -c "^-"`                                 ### Determine if an option
        if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then                    ### Added a condition
            eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
        else
            eval `echo args$i`="\"$arg\""
        fi
        i=`expr $i + 1`
    done
    case $i in
        0) set -- ;;
        1) set -- "$args0" ;;
        2) set -- "$args0" "$args1" ;;
        3) set -- "$args0" "$args1" "$args2" ;;
        4) set -- "$args0" "$args1" "$args2" "$args3" ;;
        5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
        6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
        7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
        8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
        9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
    esac
 fi
 # Escape application args
 save () {
    for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
    echo " "
 }
 APP_ARGS=`save "$@"`
 # Collect all arguments for the java command, following the shell quoting and substitution rules
 eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
 exec "$JAVACMD" "$@"
--- a/servlet/java-configuration/saml2/login/gradlew.bat
+++ b/servlet/java-configuration/saml2/login/gradlew.bat
@ -0,0 +1,104 @@
@rem
@rem Copyright 2015 the original author or authors.
@rem
@rem Licensed under the Apache License, Version 2.0 (the "License");
@rem you may not use this file except in compliance with the License.
@rem You may obtain a copy of the License at
@rem
@rem      https://www.apache.org/licenses/LICENSE-2.0
@rem
@rem Unless required by applicable law or agreed to in writing, software
@rem distributed under the License is distributed on an "AS IS" BASIS,
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@if "%DEBUG%" == "" @echo off
@rem ##########################################################################
@rem
@rem  Gradle startup script for Windows
@rem
@rem ##########################################################################
@rem Set local scope for the variables with windows NT shell
 if "%OS%"=="Windows_NT" setlocal
 set DIRNAME=%~dp0
 if "%DIRNAME%" == "" set DIRNAME=.
 set APP_BASE_NAME=%~n0
 set APP_HOME=%DIRNAME%
@rem Resolve any "." and ".." in APP_HOME to make it shorter.
 for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
@rem Find java.exe
 if defined JAVA_HOME goto findJavaFromJavaHome
 set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
 if "%ERRORLEVEL%" == "0" goto init
 echo.
 echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 echo.
 echo Please set the JAVA_HOME variable in your environment to match the
 echo location of your Java installation.
 goto fail
 :findJavaFromJavaHome
 set JAVA_HOME=%JAVA_HOME:"=%
 set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 if exist "%JAVA_EXE%" goto init
 echo.
 echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
 echo.
 echo Please set the JAVA_HOME variable in your environment to match the
 echo location of your Java installation.
 goto fail
 :init
@rem Get command-line arguments, handling Windows variants
 if not "%OS%" == "Windows_NT" goto win9xME_args
 :win9xME_args
@rem Slurp the command line arguments.
 set CMD_LINE_ARGS=
 set _SKIP=2
 :win9xME_args_slurp
 if "x%~1" == "x" goto execute
 set CMD_LINE_ARGS=%*
 :execute
@rem Setup the command line
 set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
@rem Execute Gradle
 "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
 :end
@rem End local scope for the variables with windows NT shell
 if "%ERRORLEVEL%"=="0" goto mainEnd
 :fail
 rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
 rem the _cmd.exe /c_ return code!
 if  not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
 exit /b 1
 :mainEnd
 if "%OS%"=="Windows_NT" endlocal
 :omega
--- a/servlet/java-configuration/saml2/login/settings.gradle
+++ b/servlet/java-configuration/saml2/login/settings.gradle
@ -0,0 +1 @@
--- a/servlet/java-configuration/saml2/login/src/main/java/example/ApplicationConfiguration.java
+++ b/servlet/java-configuration/saml2/login/src/main/java/example/ApplicationConfiguration.java
@ -0,0 +1,26 @@
 /*
 * Copyright 2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package example;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
@Configuration
@ComponentScan
 public class ApplicationConfiguration {
 }
--- a/servlet/java-configuration/saml2/login/src/main/java/example/IndexController.java
+++ b/servlet/java-configuration/saml2/login/src/main/java/example/IndexController.java
@ -0,0 +1,40 @@
 /*
 * Copyright 2002-2021 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package example;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
 /**
 * Controller for "/".
 *
 * @author Rob WInch
 */
@Controller
 public class IndexController {
 	@GetMapping("/")
 	public String index(Model model, @AuthenticationPrincipal Saml2AuthenticatedPrincipal principal) {
 		String emailAddress = principal.getFirstAttribute("emailAddress");
 		model.addAttribute("emailAddress", emailAddress);
 		model.addAttribute("userAttributes", principal.getAttributes());
 		return "index";
 	}
 }
--- a/servlet/java-configuration/saml2/login/src/main/java/example/MvcWebApplicationInitializer.java
+++ b/servlet/java-configuration/saml2/login/src/main/java/example/MvcWebApplicationInitializer.java
@ -0,0 +1,46 @@
 /*
 * Copyright 2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package example;
 import javax.servlet.Filter;
 import org.springframework.web.filter.HiddenHttpMethodFilter;
 import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
 public class MvcWebApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
 	@Override
 	protected Class<?>[] getRootConfigClasses() {
 		return null;
 	}
 	@Override
 	protected Class<?>[] getServletConfigClasses() {
 		return new Class[] { ApplicationConfiguration.class };
 	}
 	@Override
 	protected String[] getServletMappings() {
 		return new String[] { "/" };
 	}
 	@Override
 	protected Filter[] getServletFilters() {
 		return new Filter[] { new HiddenHttpMethodFilter() };
 	}
 }
--- a/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java
+++ b/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java
@ -0,0 +1,89 @@
 /*
 * Copyright 2002-2016 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package example;
 import java.io.InputStream;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPrivateKey;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.core.io.Resource;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
 import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
 import org.springframework.security.web.SecurityFilterChain;
@EnableWebSecurity
 public class SecurityConfiguration {
 	@Value("classpath:credentials/rp-private.key")
 	RSAPrivateKey privateKey;
 	@Bean
 	SecurityFilterChain app(HttpSecurity http) throws Exception {
 		// @formatter:off
 		http
 				.authorizeRequests((authorize) -> authorize
 						.anyRequest().authenticated()
 				)
 				.saml2Login(Customizer.withDefaults())
 				.saml2Logout(Customizer.withDefaults());
 		// @formatter:on
 		return http.build();
 	}
 	@Bean
 	RelyingPartyRegistrationResolver relyingPartyRegistrationResolver(
 			RelyingPartyRegistrationRepository registrations) {
 		return new DefaultRelyingPartyRegistrationResolver(registrations);
 	}
 	@Bean
 	RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
 		RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations
 				.fromMetadataLocation("https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php")
 				.registrationId("one")
 				.decryptionX509Credentials(
 						(c) -> c.add(Saml2X509Credential.decryption(this.privateKey, relyingPartyCertificate())))
 				.signingX509Credentials(
 						(c) -> c.add(Saml2X509Credential.signing(this.privateKey, relyingPartyCertificate())))
 				.build();
 		return new InMemoryRelyingPartyRegistrationRepository(relyingPartyRegistration);
 	}
 	X509Certificate relyingPartyCertificate() {
 		Resource resource = new ClassPathResource("credentials/rp-certificate.crt");
 		try (InputStream is = resource.getInputStream()) {
 			return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
 		}
 		catch (Exception ex) {
 			throw new UnsupportedOperationException(ex);
 		}
 	}
 }
--- a/servlet/java-configuration/saml2/login/src/main/java/example/SecurityWebApplicationInitializer.java
+++ b/servlet/java-configuration/saml2/login/src/main/java/example/SecurityWebApplicationInitializer.java
@ -0,0 +1,35 @@
 /*
 * Copyright 2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package example;
 import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
 import org.springframework.security.web.session.HttpSessionEventPublisher;
 /**
 * We customize {@link AbstractSecurityWebApplicationInitializer} to enable the
 * {@link HttpSessionEventPublisher}.
 *
 * @author Rob Winch
 */
 public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
 	@Override
 	protected boolean enableHttpSessionEventPublisher() {
 		return true;
 	}
 }
--- a/servlet/java-configuration/saml2/login/src/main/java/example/WebMvcConfiguration.java
+++ b/servlet/java-configuration/saml2/login/src/main/java/example/WebMvcConfiguration.java
@ -0,0 +1,81 @@
 /*
 * Copyright 2021 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package example;
 import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
 import org.thymeleaf.spring5.ISpringTemplateEngine;
 import org.thymeleaf.spring5.SpringTemplateEngine;
 import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
 import org.thymeleaf.spring5.view.ThymeleafViewResolver;
 import org.thymeleaf.templatemode.TemplateMode;
 import org.thymeleaf.templateresolver.ITemplateResolver;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.web.servlet.ViewResolver;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@EnableWebMvc
@Configuration
 public class WebMvcConfiguration implements WebMvcConfigurer {
 	@Override
 	public void addViewControllers(ViewControllerRegistry registry) {
 		registry.setOrder(Ordered.HIGHEST_PRECEDENCE);
 	}
 	@Override
 	public void addResourceHandlers(ResourceHandlerRegistry registry) {
 		// @formatter:off
 		registry.addResourceHandler("/resources/**")
 				.addResourceLocations("classpath:/resources/")
 				.setCachePeriod(0);
 		// @formatter:on
 		registry.setOrder(Ordered.HIGHEST_PRECEDENCE);
 	}
 	@Bean
 	public ViewResolver viewResolver(ISpringTemplateEngine templateEngine) {
 		ThymeleafViewResolver resolver = new ThymeleafViewResolver();
 		resolver.setTemplateEngine(templateEngine);
 		resolver.setCharacterEncoding("UTF-8");
 		return resolver;
 	}
 	@Bean
 	public SpringTemplateEngine templateEngine(ITemplateResolver templateResolver) {
 		SpringTemplateEngine engine = new SpringTemplateEngine();
 		engine.setEnableSpringELCompiler(true);
 		engine.setTemplateResolver(templateResolver);
 		engine.addDialect(new SpringSecurityDialect());
 		return engine;
 	}
 	@Bean
 	public SpringResourceTemplateResolver templateResolver() {
 		SpringResourceTemplateResolver resolver = new SpringResourceTemplateResolver();
 		resolver.setPrefix("classpath:/templates/");
 		resolver.setSuffix(".html");
 		resolver.setTemplateMode(TemplateMode.HTML);
 		return resolver;
 	}
 }
--- a/servlet/java-configuration/saml2/login/src/main/resources/credentials/idp-certificate.crt
+++ b/servlet/java-configuration/saml2/login/src/main/resources/credentials/idp-certificate.crt
@ -0,0 +1,24 @@
 -----BEGIN CERTIFICATE-----
 MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYD
 VQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYD
 VQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwX
 c2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0Bw
 aXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJ
 BgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAa
 BgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQD
 DBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlr
 QHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62
 E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz
 2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWW
 RDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQ
 nX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5
 cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gph
 iJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5
 ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTAD
 AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduO
 nRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+v
 ZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLu
 xbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6z
 V9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3
 lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk
 -----END CERTIFICATE-----
--- a/servlet/java-configuration/saml2/login/src/main/resources/credentials/rp-certificate.crt
+++ b/servlet/java-configuration/saml2/login/src/main/resources/credentials/rp-certificate.crt
@ -0,0 +1,16 @@
 -----BEGIN CERTIFICATE-----
 MIICgTCCAeoCCQCuVzyqFgMSyDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMC
 VVMxEzARBgNVBAgMCldhc2hpbmd0b24xEjAQBgNVBAcMCVZhbmNvdXZlcjEdMBsG
 A1UECgwUU3ByaW5nIFNlY3VyaXR5IFNBTUwxCzAJBgNVBAsMAnNwMSAwHgYDVQQD
 DBdzcC5zcHJpbmcuc2VjdXJpdHkuc2FtbDAeFw0xODA1MTQxNDMwNDRaFw0yODA1
 MTExNDMwNDRaMIGEMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjES
 MBAGA1UEBwwJVmFuY291dmVyMR0wGwYDVQQKDBRTcHJpbmcgU2VjdXJpdHkgU0FN
 TDELMAkGA1UECwwCc3AxIDAeBgNVBAMMF3NwLnNwcmluZy5zZWN1cml0eS5zYW1s
 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRu7/EI0BlNzMEBFVAcbx+lLos
 vzIWU+01dGTY8gBdhMQNYKZ92lMceo2CuVJ66cUURPym3i7nGGzoSnAxAre+0YIM
 +U0razrWtAUE735bkcqELZkOTZLelaoOztmWqRbe5OuEmpewH7cx+kNgcVjdctOG
 y3Q6x+I4qakY/9qhBQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAAeViTvHOyQopWEi
 XOfI2Z9eukwrSknDwq/zscR0YxwwqDBMt/QdAODfSwAfnciiYLkmEjlozWRtOeN+
 qK7UFgP1bRl5qksrYX5S0z2iGJh0GvonLUt3e20Ssfl5tTEDDnAEUMLfBkyaxEHD
 RZ/nbTJ7VTeZOSyRoVn5XHhpuJ0B
 -----END CERTIFICATE-----
--- a/servlet/java-configuration/saml2/login/src/main/resources/credentials/rp-private.key
+++ b/servlet/java-configuration/saml2/login/src/main/resources/credentials/rp-private.key
@ -0,0 +1,16 @@
 -----BEGIN PRIVATE KEY-----
 MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANG7v8QjQGU3MwQE
 VUBxvH6Uuiy/MhZT7TV0ZNjyAF2ExA1gpn3aUxx6jYK5UnrpxRRE/KbeLucYbOhK
 cDECt77Rggz5TStrOta0BQTvfluRyoQtmQ5Nkt6Vqg7O2ZapFt7k64Sal7AftzH6
 Q2BxWN1y04bLdDrH4jipqRj/2qEFAgMBAAECgYEAj4ExY1jjdN3iEDuOwXuRB+Nn
 x7pC4TgntE2huzdKvLJdGvIouTArce8A6JM5NlTBvm69mMepvAHgcsiMH1zGr5J5
 wJz23mGOyhM1veON41/DJTVG+cxq4soUZhdYy3bpOuXGMAaJ8QLMbQQoivllNihd
 vwH0rNSK8LTYWWPZYIECQQDxct+TFX1VsQ1eo41K0T4fu2rWUaxlvjUGhK6HxTmY
 8OMJptunGRJL1CUjIb45Uz7SP8TPz5FwhXWsLfS182kRAkEA3l+Qd9C9gdpUh1uX
 oPSNIxn5hFUrSTW1EwP9QH9vhwb5Vr8Jrd5ei678WYDLjUcx648RjkjhU9jSMzIx
 EGvYtQJBAMm/i9NR7IVyyNIgZUpz5q4LI21rl1r4gUQuD8vA36zM81i4ROeuCly0
 KkfdxR4PUfnKcQCX11YnHjk9uTFj75ECQEFY/gBnxDjzqyF35hAzrYIiMPQVfznt
 YX/sDTE2AdVBVGaMj1Cb51bPHnNC6Q5kXKQnj/YrLqRQND09Q7ParX0CQQC5NxZr
 9jKqhHj8yQD6PlXTsY4Occ7DH6/IoDenfdEVD5qlet0zmd50HatN2Jiqm5ubN7CM
 INrtuLp4YHbgk1mi
 -----END PRIVATE KEY-----
--- a/servlet/java-configuration/saml2/login/src/main/resources/logback.xml
+++ b/servlet/java-configuration/saml2/login/src/main/resources/logback.xml
@ -0,0 +1,12 @@
 <configuration>
 	<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
 	<encoder>
 		<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
 	</encoder>
 	</appender>
 	<root level="TRACE">
 		<appender-ref ref="STDOUT" />
 	</root>
 </configuration>
--- a/servlet/java-configuration/saml2/login/src/main/resources/templates/index.html
+++ b/servlet/java-configuration/saml2/login/src/main/resources/templates/index.html
@ -0,0 +1,60 @@
 <!--
  ~ Copyright 2002-2021 the original author or authors.
  ~
  ~ Licensed under the Apache License, Version 2.0 (the "License");
  ~ you may not use this file except in compliance with the License.
  ~ You may obtain a copy of the License at
  ~
  ~      https://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an "AS IS" BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  -->
 <!doctype html>
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity5">
 <head>
    <title>Spring Security - SAML 2.0 Login & Logout</title>
    <meta charset="utf-8" />
    <style>
        span, dt {
            font-weight: bold;
        }
    </style>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
 </head>
 <body>
 <div class="container">
    <ul class="nav">
        <li class="nav-item">
            <form th:action="@{/logout}" method="post">
                <button class="btn btn-primary" id="rp_logout_button" type="submit">
                    RP-initiated Logout
                </button>
            </form>
        </li>
        <li class="nav-item">
            <a id="ap_logout_button" class="nav-link" href="https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SingleLogoutService.php?ReturnTo=http://localhost:8080/login?logout">
                AP-initiated Logout
            </a>
        </li>
    </ul>
    </div>
    <main role="main" class="container">
        <h1 class="mt-5">SAML 2.0 Login & Single Logout with Spring Security</h1>
        <p class="lead">You are successfully logged in as <span sec:authentication="name"></span></p>
        <p class="lead">You're email address is <span th:text="${emailAddress}"></span></p>
        <h2 class="mt-2">All Your Attributes</h2>
        <dl th:each="userAttribute : ${userAttributes}">
            <dt th:text="${userAttribute.key}"></dt>
            <dd th:text="${userAttribute.value}"></dd>
        </dl>
        <h6>Visit the <a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-saml2" target="_blank">SAML 2.0 Login & Logout</a> documentation for more details.</h6>
    </main>
 </div>
 </body>
 </html>
--- a/settings.gradle
+++ b/settings.gradle
@ -39,6 +39,7 @@ include ":servlet:java-configuration:hello-mvc-security"
 include ":servlet:java-configuration:hello-security"
 include ":servlet:java-configuration:hello-security-explicit"
 include ":servlet:java-configuration:max-sessions"
 include ":servlet:java-configuration:saml2:login"
 include ":servlet:spring-boot:java:authentication:username-password:user-details-service:custom-user"
 include ":servlet:spring-boot:java:authentication:username-password:mfa"
 include ":servlet:spring-boot:java:hello"