Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-29 07:12:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add saml2.ValidIssuers parameter

Browse Source 
Adds the saml2.ValidIssuers parameter into SAML 2.0 Assertion Validators

Closes gh-10335
This commit is contained in:
Marcus Da Coregio 2021-09-30 09:29:57 -03:00 committed by Josh Cummings
parent c82722c412
commit 00084cf986
2 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
View File

@ -672,11 +672,14 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
private static ValidationContext createValidationContext(AssertionToken assertionToken, private static ValidationContext createValidationContext(AssertionToken assertionToken,
Consumer<Map<String, Object>> paramsConsumer) { Consumer<Map<String, Object>> paramsConsumer) {
String audience = assertionToken.token.getRelyingPartyRegistration().getEntityId(); RelyingPartyRegistration relyingPartyRegistration = assertionToken.token.getRelyingPartyRegistration();
String recipient = assertionToken.token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation(); String audience = relyingPartyRegistration.getEntityId();
String recipient = relyingPartyRegistration.getAssertionConsumerServiceLocation();
String assertingPartyEntityId = relyingPartyRegistration.getAssertingPartyDetails().getEntityId();
Map<String, Object> params = new HashMap<>(); Map<String, Object> params = new HashMap<>();
params.put(SAML2AssertionValidationParameters.COND_VALID_AUDIENCES, Collections.singleton(audience)); params.put(SAML2AssertionValidationParameters.COND_VALID_AUDIENCES, Collections.singleton(audience));
params.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, Collections.singleton(recipient)); params.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, Collections.singleton(recipient));
params.put(SAML2AssertionValidationParameters.VALID_ISSUERS, Collections.singleton(assertingPartyEntityId));
paramsConsumer.accept(params); paramsConsumer.accept(params);
return new ValidationContext(params); return new ValidationContext(params);
} }
@ -754,6 +757,11 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
protected ValidationResult validateStatements(Assertion assertion, ValidationContext context) { protected ValidationResult validateStatements(Assertion assertion, ValidationContext context) {
return ValidationResult.VALID; return ValidationResult.VALID;
} }
@Override
protected ValidationResult validateIssuer(Assertion assertion, ValidationContext context) {
return ValidationResult.VALID;
}
}; };
} }

14
saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java
View File

@ -628,6 +628,20 @@ public class OpenSaml4AuthenticationProviderTests {
verify(validator).convert(any(OpenSaml4AuthenticationProvider.ResponseToken.class)); verify(validator).convert(any(OpenSaml4AuthenticationProvider.ResponseToken.class));
} }
@Test
public void authenticateWhenAssertionIssuerNotValidThenFailsWithInvalidIssuer() {
OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
Response response = response();
Assertion assertion = assertion();
assertion.setIssuer(TestOpenSamlObjects.issuer("https://invalid.idp.test/saml2/idp"));
response.getAssertions().add(assertion);
TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(),
ASSERTING_PARTY_ENTITY_ID);
Saml2AuthenticationToken token = token(response, verifying(registration()));
assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> provider.authenticate(token))
.withMessageContaining("did not match any valid issuers");
}
private <T extends XMLObject> T build(QName qName) { private <T extends XMLObject> T build(QName qName) {
return (T) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName); return (T) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName);
} }