Josh Cummings
parent
8cba9fbf9d
commit
194993ad1a
|
|
@ -29,6 +29,7 @@
|
|||
<suppress files="OAuth2IntrospectionClaimNames\.java" checks="InterfaceIsType"/>
|
||||
<suppress files="OAuth2TokenIntrospectionClaimNames\.java" checks="InterfaceIsType"/>
|
||||
<suppress files="Saml2ErrorCodes\.java" checks="InterfaceIsType"/>
|
||||
<suppress files="Saml2ParameterNames\.java" checks="InterfaceIsType"/>
|
||||
|
||||
<!-- Method Visibility that we can't reduce -->
|
||||
<suppress files="AbstractAclVoterTests\.java" checks="SpringMethodVisibility"/>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,62 @@
|
|||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.saml2.core;
|
||||
|
||||
/**
|
||||
* Standard parameter names defined in the SAML 2.0 Specification and used by the
|
||||
* Authentication Request, Assertion Consumer Response, Logout Request, and Logout
|
||||
* Response endpoints.
|
||||
*
|
||||
* @author Josh Cummings
|
||||
* @since 5.6
|
||||
* @see <a target="_blank" href=
|
||||
* "https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf">SAML 2.0
|
||||
* Bindings</a>
|
||||
*/
|
||||
public interface Saml2ParameterNames {
|
||||
|
||||
/**
|
||||
* {@code SAMLRequest} - used to request authentication or request logout
|
||||
*/
|
||||
String SAML_REQUEST = "SAMLRequest";
|
||||
|
||||
/**
|
||||
* {@code SAMLResponse} - used to respond to an authentication or logout request
|
||||
*/
|
||||
String SAML_RESPONSE = "SAMLResponse";
|
||||
|
||||
/**
|
||||
* {@code RelayState} - used to communicate shared state between the relying and
|
||||
* asserting party
|
||||
* @see <a target="_blank" href=
|
||||
* "https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf#page=8">3.1.1
|
||||
* Use of RelayState</a>
|
||||
*/
|
||||
String RELAY_STATE = "RelayState";
|
||||
|
||||
/**
|
||||
* {@code SigAlg} - used to communicate which signature algorithm to use to verify
|
||||
* signature
|
||||
*/
|
||||
String SIG_ALG = "SigAlg";
|
||||
|
||||
/**
|
||||
* {@code Signature} - used to supply cryptographic signature on any SAML 2.0 payload
|
||||
*/
|
||||
String SIGNATURE = "Signature";
|
||||
|
||||
}
|
||||
|
|
@ -51,6 +51,7 @@ import org.opensaml.xmlsec.signature.support.SignatureSupport;
|
|||
import org.w3c.dom.Element;
|
||||
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.util.Assert;
|
||||
|
|
@ -165,7 +166,7 @@ final class OpenSamlSigningUtils {
|
|||
SignatureSigningParameters parameters = resolveSigningParameters(this.registration);
|
||||
Credential credential = parameters.getSigningCredential();
|
||||
String algorithmUri = parameters.getSignatureAlgorithm();
|
||||
this.components.put("SigAlg", algorithmUri);
|
||||
this.components.put(Saml2ParameterNames.SIG_ALG, algorithmUri);
|
||||
UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
|
||||
for (Map.Entry<String, String> component : this.components.entrySet()) {
|
||||
builder.queryParam(component.getKey(),
|
||||
|
|
@ -176,7 +177,7 @@ final class OpenSamlSigningUtils {
|
|||
byte[] rawSignature = XMLSigningUtil.signWithURI(credential, algorithmUri,
|
||||
queryString.getBytes(StandardCharsets.UTF_8));
|
||||
String b64Signature = Saml2Utils.samlEncode(rawSignature);
|
||||
this.components.put("Signature", b64Signature);
|
||||
this.components.put(Saml2ParameterNames.SIGNATURE, b64Signature);
|
||||
}
|
||||
catch (SecurityException ex) {
|
||||
throw new Saml2Exception(ex);
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngin
|
|||
|
||||
import org.springframework.security.saml2.core.Saml2Error;
|
||||
import org.springframework.security.saml2.core.Saml2ErrorCodes;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.core.Saml2ResponseValidatorResult;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
|
|
@ -176,34 +177,39 @@ final class OpenSamlVerificationUtils {
|
|||
}
|
||||
|
||||
String getAlgorithm() {
|
||||
return this.request.getParameter("SigAlg");
|
||||
return this.request.getParameter(Saml2ParameterNames.SIG_ALG);
|
||||
}
|
||||
|
||||
byte[] getContent() {
|
||||
if (this.request.getParameter("RelayState") != null) {
|
||||
return String.format("%s=%s&RelayState=%s&SigAlg=%s", this.objectParameterName,
|
||||
UriUtils.encode(this.request.getParameter(this.objectParameterName),
|
||||
StandardCharsets.ISO_8859_1),
|
||||
UriUtils.encode(this.request.getParameter("RelayState"), StandardCharsets.ISO_8859_1),
|
||||
UriUtils.encode(getAlgorithm(), StandardCharsets.ISO_8859_1))
|
||||
if (this.request.getParameter(Saml2ParameterNames.RELAY_STATE) != null) {
|
||||
return String
|
||||
.format("%s=%s&%s=%s&%s=%s", this.objectParameterName,
|
||||
UriUtils.encode(this.request.getParameter(this.objectParameterName),
|
||||
StandardCharsets.ISO_8859_1),
|
||||
Saml2ParameterNames.RELAY_STATE,
|
||||
UriUtils.encode(this.request.getParameter(Saml2ParameterNames.RELAY_STATE),
|
||||
StandardCharsets.ISO_8859_1),
|
||||
Saml2ParameterNames.SIG_ALG,
|
||||
UriUtils.encode(getAlgorithm(), StandardCharsets.ISO_8859_1))
|
||||
.getBytes(StandardCharsets.UTF_8);
|
||||
}
|
||||
else {
|
||||
return String
|
||||
.format("%s=%s&SigAlg=%s", this.objectParameterName,
|
||||
.format("%s=%s&%s=%s", this.objectParameterName,
|
||||
UriUtils.encode(this.request.getParameter(this.objectParameterName),
|
||||
StandardCharsets.ISO_8859_1),
|
||||
Saml2ParameterNames.SIG_ALG,
|
||||
UriUtils.encode(getAlgorithm(), StandardCharsets.ISO_8859_1))
|
||||
.getBytes(StandardCharsets.UTF_8);
|
||||
}
|
||||
}
|
||||
|
||||
byte[] getSignature() {
|
||||
return Saml2Utils.samlDecode(this.request.getParameter("Signature"));
|
||||
return Saml2Utils.samlDecode(this.request.getParameter(Saml2ParameterNames.SIGNATURE));
|
||||
}
|
||||
|
||||
boolean hasSignature() {
|
||||
return this.request.getParameter("Signature") != null;
|
||||
return this.request.getParameter(Saml2ParameterNames.SIGNATURE) != null;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,6 +47,7 @@ import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngin
|
|||
|
||||
import org.springframework.security.saml2.core.Saml2Error;
|
||||
import org.springframework.security.saml2.core.Saml2ErrorCodes;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.web.util.UriUtils;
|
||||
|
|
@ -179,44 +180,40 @@ final class OpenSamlVerificationUtils {
|
|||
private final byte[] content;
|
||||
|
||||
RedirectSignature(Saml2LogoutRequest request) {
|
||||
this.algorithm = request.getParameter("SigAlg");
|
||||
if (request.getParameter("Signature") != null) {
|
||||
this.signature = Saml2Utils.samlDecode(request.getParameter("Signature"));
|
||||
this.algorithm = request.getParameter(Saml2ParameterNames.SIG_ALG);
|
||||
if (request.getParameter(Saml2ParameterNames.SIGNATURE) != null) {
|
||||
this.signature = Saml2Utils.samlDecode(request.getParameter(Saml2ParameterNames.SIGNATURE));
|
||||
}
|
||||
else {
|
||||
this.signature = null;
|
||||
}
|
||||
this.content = content(request.getSamlRequest(), "SAMLRequest", request.getRelayState(),
|
||||
request.getParameter("SigAlg"));
|
||||
this.content = content(request.getSamlRequest(), Saml2ParameterNames.SAML_REQUEST,
|
||||
request.getRelayState(), request.getParameter(Saml2ParameterNames.SIG_ALG));
|
||||
}
|
||||
|
||||
RedirectSignature(Saml2LogoutResponse response) {
|
||||
this.algorithm = response.getParameter("SigAlg");
|
||||
if (response.getParameter("Signature") != null) {
|
||||
this.signature = Saml2Utils.samlDecode(response.getParameter("Signature"));
|
||||
this.algorithm = response.getParameter(Saml2ParameterNames.SIG_ALG);
|
||||
if (response.getParameter(Saml2ParameterNames.SIGNATURE) != null) {
|
||||
this.signature = Saml2Utils.samlDecode(response.getParameter(Saml2ParameterNames.SIGNATURE));
|
||||
}
|
||||
else {
|
||||
this.signature = null;
|
||||
}
|
||||
this.content = content(response.getSamlResponse(), "SAMLResponse", response.getRelayState(),
|
||||
response.getParameter("SigAlg"));
|
||||
this.content = content(response.getSamlResponse(), Saml2ParameterNames.SAML_RESPONSE,
|
||||
response.getRelayState(), response.getParameter(Saml2ParameterNames.SIG_ALG));
|
||||
}
|
||||
|
||||
static byte[] content(String samlObject, String objectParameterName, String relayState, String algorithm) {
|
||||
if (relayState != null) {
|
||||
return String
|
||||
.format("%s=%s&RelayState=%s&SigAlg=%s", objectParameterName,
|
||||
UriUtils.encode(samlObject, StandardCharsets.ISO_8859_1),
|
||||
UriUtils.encode(relayState, StandardCharsets.ISO_8859_1),
|
||||
UriUtils.encode(algorithm, StandardCharsets.ISO_8859_1))
|
||||
.getBytes(StandardCharsets.UTF_8);
|
||||
return String.format("%s=%s&%s=%s&%s=%s", objectParameterName,
|
||||
UriUtils.encode(samlObject, StandardCharsets.ISO_8859_1), Saml2ParameterNames.RELAY_STATE,
|
||||
UriUtils.encode(relayState, StandardCharsets.ISO_8859_1), Saml2ParameterNames.SIG_ALG,
|
||||
UriUtils.encode(algorithm, StandardCharsets.ISO_8859_1)).getBytes(StandardCharsets.UTF_8);
|
||||
}
|
||||
else {
|
||||
return String
|
||||
.format("%s=%s&SigAlg=%s", objectParameterName,
|
||||
UriUtils.encode(samlObject, StandardCharsets.ISO_8859_1),
|
||||
UriUtils.encode(algorithm, StandardCharsets.ISO_8859_1))
|
||||
.getBytes(StandardCharsets.UTF_8);
|
||||
return String.format("%s=%s&%s=%s", objectParameterName,
|
||||
UriUtils.encode(samlObject, StandardCharsets.ISO_8859_1), Saml2ParameterNames.SIG_ALG,
|
||||
UriUtils.encode(algorithm, StandardCharsets.ISO_8859_1)).getBytes(StandardCharsets.UTF_8);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ import java.util.HashMap;
|
|||
import java.util.Map;
|
||||
import java.util.function.Consumer;
|
||||
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver;
|
||||
|
|
@ -84,7 +85,7 @@ public final class Saml2LogoutRequest implements Serializable {
|
|||
* @return the signed and serialized <saml2:LogoutRequest> payload
|
||||
*/
|
||||
public String getSamlRequest() {
|
||||
return this.parameters.get("SAMLRequest");
|
||||
return this.parameters.get(Saml2ParameterNames.SAML_REQUEST);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -92,7 +93,7 @@ public final class Saml2LogoutRequest implements Serializable {
|
|||
* @return the relay state
|
||||
*/
|
||||
public String getRelayState() {
|
||||
return this.parameters.get("RelayState");
|
||||
return this.parameters.get(Saml2ParameterNames.RELAY_STATE);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -170,7 +171,7 @@ public final class Saml2LogoutRequest implements Serializable {
|
|||
* @see Saml2LogoutRequestResolver
|
||||
*/
|
||||
public Builder samlRequest(String samlRequest) {
|
||||
this.parameters.put("SAMLRequest", samlRequest);
|
||||
this.parameters.put(Saml2ParameterNames.SAML_REQUEST, samlRequest);
|
||||
return this;
|
||||
}
|
||||
|
||||
|
|
@ -207,7 +208,7 @@ public final class Saml2LogoutRequest implements Serializable {
|
|||
* @return the {@link Builder} for further configurations
|
||||
*/
|
||||
public Builder relayState(String relayState) {
|
||||
this.parameters.put("RelayState", relayState);
|
||||
this.parameters.put(Saml2ParameterNames.RELAY_STATE, relayState);
|
||||
return this;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ import java.util.HashMap;
|
|||
import java.util.Map;
|
||||
import java.util.function.Consumer;
|
||||
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutResponseResolver;
|
||||
|
|
@ -68,7 +69,7 @@ public final class Saml2LogoutResponse {
|
|||
* @return the signed and serialized <saml2:LogoutResponse> payload
|
||||
*/
|
||||
public String getSamlResponse() {
|
||||
return this.parameters.get("SAMLResponse");
|
||||
return this.parameters.get(Saml2ParameterNames.SAML_RESPONSE);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -76,7 +77,7 @@ public final class Saml2LogoutResponse {
|
|||
* @return the relay state
|
||||
*/
|
||||
public String getRelayState() {
|
||||
return this.parameters.get("RelayState");
|
||||
return this.parameters.get(Saml2ParameterNames.RELAY_STATE);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -140,7 +141,7 @@ public final class Saml2LogoutResponse {
|
|||
* @see Saml2LogoutResponseResolver
|
||||
*/
|
||||
public Builder samlResponse(String samlResponse) {
|
||||
this.parameters.put("SAMLResponse", samlResponse);
|
||||
this.parameters.put(Saml2ParameterNames.SAML_RESPONSE, samlResponse);
|
||||
return this;
|
||||
}
|
||||
|
||||
|
|
@ -177,7 +178,7 @@ public final class Saml2LogoutResponse {
|
|||
* @return the {@link Builder} for further configurations
|
||||
*/
|
||||
public Builder relayState(String relayState) {
|
||||
this.parameters.put("RelayState", relayState);
|
||||
this.parameters.put(Saml2ParameterNames.RELAY_STATE, relayState);
|
||||
return this;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ import org.springframework.security.core.Authentication;
|
|||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.saml2.core.Saml2Error;
|
||||
import org.springframework.security.saml2.core.Saml2ErrorCodes;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
|
||||
|
|
@ -96,7 +97,7 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce
|
|||
@Override
|
||||
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
|
||||
return (super.requiresAuthentication(request, response)
|
||||
&& StringUtils.hasText(request.getParameter("SAMLResponse")));
|
||||
&& StringUtils.hasText(request.getParameter(Saml2ParameterNames.SAML_RESPONSE)));
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ import javax.servlet.http.HttpServletResponse;
|
|||
import org.opensaml.core.Version;
|
||||
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestContext;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory;
|
||||
|
|
@ -200,10 +201,10 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter
|
|||
this.authenticationRequestRepository.saveAuthenticationRequest(authenticationRequest, request, response);
|
||||
UriComponentsBuilder uriBuilder = UriComponentsBuilder
|
||||
.fromUriString(authenticationRequest.getAuthenticationRequestUri());
|
||||
addParameter("SAMLRequest", authenticationRequest.getSamlRequest(), uriBuilder);
|
||||
addParameter("RelayState", authenticationRequest.getRelayState(), uriBuilder);
|
||||
addParameter("SigAlg", authenticationRequest.getSigAlg(), uriBuilder);
|
||||
addParameter("Signature", authenticationRequest.getSignature(), uriBuilder);
|
||||
addParameter(Saml2ParameterNames.SAML_REQUEST, authenticationRequest.getSamlRequest(), uriBuilder);
|
||||
addParameter(Saml2ParameterNames.RELAY_STATE, authenticationRequest.getRelayState(), uriBuilder);
|
||||
addParameter(Saml2ParameterNames.SIG_ALG, authenticationRequest.getSigAlg(), uriBuilder);
|
||||
addParameter(Saml2ParameterNames.SIGNATURE, authenticationRequest.getSignature(), uriBuilder);
|
||||
String redirectUrl = uriBuilder.build(true).toUriString();
|
||||
response.sendRedirect(redirectUrl);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ import org.apache.commons.logging.Log;
|
|||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import org.springframework.core.convert.converter.Converter;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestContext;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.util.Assert;
|
||||
|
|
@ -80,7 +81,7 @@ public final class DefaultSaml2AuthenticationRequestContextResolver
|
|||
return Saml2AuthenticationRequestContext.builder().issuer(relyingParty.getEntityId())
|
||||
.relyingPartyRegistration(relyingParty)
|
||||
.assertionConsumerServiceUrl(relyingParty.getAssertionConsumerServiceLocation())
|
||||
.relayState(request.getParameter("RelayState")).build();
|
||||
.relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE)).build();
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ import org.springframework.core.convert.converter.Converter;
|
|||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.saml2.core.Saml2Error;
|
||||
import org.springframework.security.saml2.core.Saml2ErrorCodes;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
|
||||
|
|
@ -89,7 +90,7 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo
|
|||
if (relyingPartyRegistration == null) {
|
||||
return null;
|
||||
}
|
||||
String saml2Response = request.getParameter("SAMLResponse");
|
||||
String saml2Response = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
|
||||
if (saml2Response == null) {
|
||||
return null;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ import javax.servlet.http.HttpServletResponse;
|
|||
import javax.servlet.http.HttpSession;
|
||||
|
||||
import org.springframework.security.crypto.codec.Utf8;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
|
|
@ -90,7 +91,7 @@ public final class HttpSessionLogoutRequestRepository implements Saml2LogoutRequ
|
|||
}
|
||||
|
||||
private String getStateParameter(HttpServletRequest request) {
|
||||
return request.getParameter("RelayState");
|
||||
return request.getParameter(Saml2ParameterNames.RELAY_STATE);
|
||||
}
|
||||
|
||||
private boolean stateParameterEquals(HttpServletRequest request, Saml2LogoutRequest logoutRequest) {
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@ import org.w3c.dom.Element;
|
|||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.core.OpenSamlInitializationService;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
|
|
@ -135,7 +136,8 @@ final class OpenSamlLogoutRequestResolver {
|
|||
String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
|
||||
result.samlRequest(deflatedAndEncoded);
|
||||
QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration)
|
||||
.param("SAMLRequest", deflatedAndEncoded).param("RelayState", relayState);
|
||||
.param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded)
|
||||
.param(Saml2ParameterNames.RELAY_STATE, relayState);
|
||||
return result.parameters((params) -> params.putAll(partial.parameters())).build();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ import org.w3c.dom.Element;
|
|||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.core.OpenSamlInitializationService;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
|
|
@ -131,7 +132,7 @@ final class OpenSamlLogoutResponseResolver {
|
|||
if (registration == null) {
|
||||
return null;
|
||||
}
|
||||
String serialized = request.getParameter("SAMLRequest");
|
||||
String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
|
||||
byte[] b = Saml2Utils.samlDecode(serialized);
|
||||
LogoutRequest logoutRequest = parse(inflateIfRequired(registration, b));
|
||||
LogoutResponse logoutResponse = this.logoutResponseBuilder.buildObject();
|
||||
|
|
@ -154,8 +155,8 @@ final class OpenSamlLogoutResponseResolver {
|
|||
String xml = serialize(OpenSamlSigningUtils.sign(logoutResponse, registration));
|
||||
String samlResponse = Saml2Utils.samlEncode(xml.getBytes(StandardCharsets.UTF_8));
|
||||
result.samlResponse(samlResponse);
|
||||
if (request.getParameter("RelayState") != null) {
|
||||
result.relayState(request.getParameter("RelayState"));
|
||||
if (request.getParameter(Saml2ParameterNames.RELAY_STATE) != null) {
|
||||
result.relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE));
|
||||
}
|
||||
return result.build();
|
||||
}
|
||||
|
|
@ -163,10 +164,10 @@ final class OpenSamlLogoutResponseResolver {
|
|||
String xml = serialize(logoutResponse);
|
||||
String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
|
||||
result.samlResponse(deflatedAndEncoded);
|
||||
QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param("SAMLResponse",
|
||||
deflatedAndEncoded);
|
||||
if (request.getParameter("RelayState") != null) {
|
||||
partial.param("RelayState", request.getParameter("RelayState"));
|
||||
QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration)
|
||||
.param(Saml2ParameterNames.SAML_RESPONSE, deflatedAndEncoded);
|
||||
if (request.getParameter(Saml2ParameterNames.RELAY_STATE) != null) {
|
||||
partial.param(Saml2ParameterNames.RELAY_STATE, request.getParameter(Saml2ParameterNames.RELAY_STATE));
|
||||
}
|
||||
return result.parameters((params) -> params.putAll(partial.parameters())).build();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ import org.opensaml.xmlsec.signature.support.SignatureSupport;
|
|||
import org.w3c.dom.Element;
|
||||
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.util.Assert;
|
||||
|
|
@ -145,7 +146,7 @@ final class OpenSamlSigningUtils {
|
|||
SignatureSigningParameters parameters = resolveSigningParameters(this.registration);
|
||||
Credential credential = parameters.getSigningCredential();
|
||||
String algorithmUri = parameters.getSignatureAlgorithm();
|
||||
this.components.put("SigAlg", algorithmUri);
|
||||
this.components.put(Saml2ParameterNames.SIG_ALG, algorithmUri);
|
||||
UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
|
||||
for (Map.Entry<String, String> component : this.components.entrySet()) {
|
||||
builder.queryParam(component.getKey(),
|
||||
|
|
@ -156,7 +157,7 @@ final class OpenSamlSigningUtils {
|
|||
byte[] rawSignature = XMLSigningUtil.signWithURI(credential, algorithmUri,
|
||||
queryString.getBytes(StandardCharsets.UTF_8));
|
||||
String b64Signature = Saml2Utils.samlEncode(rawSignature);
|
||||
this.components.put("Signature", b64Signature);
|
||||
this.components.put(Saml2ParameterNames.SIGNATURE, b64Signature);
|
||||
}
|
||||
catch (SecurityException ex) {
|
||||
throw new Saml2Exception(ex);
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ import org.springframework.core.log.LogMessage;
|
|||
import org.springframework.http.MediaType;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator;
|
||||
|
|
@ -106,7 +107,7 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
|
|||
return;
|
||||
}
|
||||
|
||||
if (request.getParameter("SAMLRequest") == null) {
|
||||
if (request.getParameter(Saml2ParameterNames.SAML_REQUEST) == null) {
|
||||
chain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
|
|
@ -126,13 +127,16 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
|
|||
return;
|
||||
}
|
||||
|
||||
String serialized = request.getParameter("SAMLRequest");
|
||||
String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
|
||||
Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration)
|
||||
.samlRequest(serialized).relayState(request.getParameter("RelayState"))
|
||||
.samlRequest(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE))
|
||||
.binding(registration.getSingleLogoutServiceBinding())
|
||||
.location(registration.getSingleLogoutServiceLocation())
|
||||
.parameters((params) -> params.put("SigAlg", request.getParameter("SigAlg")))
|
||||
.parameters((params) -> params.put("Signature", request.getParameter("Signature"))).build();
|
||||
.parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG,
|
||||
request.getParameter(Saml2ParameterNames.SIG_ALG)))
|
||||
.parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE,
|
||||
request.getParameter(Saml2ParameterNames.SIGNATURE)))
|
||||
.build();
|
||||
Saml2LogoutRequestValidatorParameters parameters = new Saml2LogoutRequestValidatorParameters(logoutRequest,
|
||||
registration, authentication);
|
||||
Saml2LogoutValidatorResult result = this.logoutRequestValidator.validate(parameters);
|
||||
|
|
@ -184,10 +188,10 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
|
|||
Saml2LogoutResponse logoutResponse) throws IOException {
|
||||
String location = logoutResponse.getResponseLocation();
|
||||
UriComponentsBuilder uriBuilder = UriComponentsBuilder.fromUriString(location);
|
||||
addParameter("SAMLResponse", logoutResponse::getParameter, uriBuilder);
|
||||
addParameter("RelayState", logoutResponse::getParameter, uriBuilder);
|
||||
addParameter("SigAlg", logoutResponse::getParameter, uriBuilder);
|
||||
addParameter("Signature", logoutResponse::getParameter, uriBuilder);
|
||||
addParameter(Saml2ParameterNames.SAML_RESPONSE, logoutResponse::getParameter, uriBuilder);
|
||||
addParameter(Saml2ParameterNames.RELAY_STATE, logoutResponse::getParameter, uriBuilder);
|
||||
addParameter(Saml2ParameterNames.SIG_ALG, logoutResponse::getParameter, uriBuilder);
|
||||
addParameter(Saml2ParameterNames.SIGNATURE, logoutResponse::getParameter, uriBuilder);
|
||||
this.redirectStrategy.sendRedirect(request, response, uriBuilder.build(true).toUriString());
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ import org.apache.commons.logging.LogFactory;
|
|||
import org.springframework.core.log.LogMessage;
|
||||
import org.springframework.security.saml2.core.Saml2Error;
|
||||
import org.springframework.security.saml2.core.Saml2ErrorCodes;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidator;
|
||||
|
|
@ -98,7 +99,7 @@ public final class Saml2LogoutResponseFilter extends OncePerRequestFilter {
|
|||
return;
|
||||
}
|
||||
|
||||
if (request.getParameter("SAMLResponse") == null) {
|
||||
if (request.getParameter(Saml2ParameterNames.SAML_RESPONSE) == null) {
|
||||
chain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
|
|
@ -125,13 +126,16 @@ public final class Saml2LogoutResponseFilter extends OncePerRequestFilter {
|
|||
return;
|
||||
}
|
||||
|
||||
String serialized = request.getParameter("SAMLResponse");
|
||||
String serialized = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
|
||||
Saml2LogoutResponse logoutResponse = Saml2LogoutResponse.withRelyingPartyRegistration(registration)
|
||||
.samlResponse(serialized).relayState(request.getParameter("RelayState"))
|
||||
.samlResponse(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE))
|
||||
.binding(registration.getSingleLogoutServiceBinding())
|
||||
.location(registration.getSingleLogoutServiceResponseLocation())
|
||||
.parameters((params) -> params.put("SigAlg", request.getParameter("SigAlg")))
|
||||
.parameters((params) -> params.put("Signature", request.getParameter("Signature"))).build();
|
||||
.parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG,
|
||||
request.getParameter(Saml2ParameterNames.SIG_ALG)))
|
||||
.parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE,
|
||||
request.getParameter(Saml2ParameterNames.SIGNATURE)))
|
||||
.build();
|
||||
Saml2LogoutResponseValidatorParameters parameters = new Saml2LogoutResponseValidatorParameters(logoutResponse,
|
||||
logoutRequest, registration);
|
||||
Saml2LogoutValidatorResult result = this.logoutResponseValidator.validate(parameters);
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ import org.apache.commons.logging.LogFactory;
|
|||
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
import org.springframework.security.web.DefaultRedirectStrategy;
|
||||
|
|
@ -105,10 +106,10 @@ public final class Saml2RelyingPartyInitiatedLogoutSuccessHandler implements Log
|
|||
throws IOException {
|
||||
String location = logoutRequest.getLocation();
|
||||
UriComponentsBuilder uriBuilder = UriComponentsBuilder.fromUriString(location);
|
||||
addParameter("SAMLRequest", logoutRequest::getParameter, uriBuilder);
|
||||
addParameter("RelayState", logoutRequest::getParameter, uriBuilder);
|
||||
addParameter("SigAlg", logoutRequest::getParameter, uriBuilder);
|
||||
addParameter("Signature", logoutRequest::getParameter, uriBuilder);
|
||||
addParameter(Saml2ParameterNames.SAML_REQUEST, logoutRequest::getParameter, uriBuilder);
|
||||
addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest::getParameter, uriBuilder);
|
||||
addParameter(Saml2ParameterNames.SIG_ALG, logoutRequest::getParameter, uriBuilder);
|
||||
addParameter(Saml2ParameterNames.SIGNATURE, logoutRequest::getParameter, uriBuilder);
|
||||
this.redirectStrategy.sendRedirect(request, response, uriBuilder.build(true).toUriString());
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -33,6 +33,7 @@ import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
|
|||
|
||||
import org.springframework.core.convert.converter.Converter;
|
||||
import org.springframework.security.saml2.core.OpenSamlInitializationService;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.OpenSamlSigningUtils.QueryParametersPartial;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
|
|
@ -120,13 +121,14 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
|
|||
String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
|
||||
result.samlRequest(deflatedAndEncoded).relayState(context.getRelayState());
|
||||
if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
|
||||
QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param("SAMLRequest",
|
||||
deflatedAndEncoded);
|
||||
QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration)
|
||||
.param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded);
|
||||
if (StringUtils.hasText(context.getRelayState())) {
|
||||
partial.param("RelayState", context.getRelayState());
|
||||
partial.param(Saml2ParameterNames.RELAY_STATE, context.getRelayState());
|
||||
}
|
||||
Map<String, String> parameters = partial.parameters();
|
||||
return result.sigAlg(parameters.get("SigAlg")).signature(parameters.get("Signature")).build();
|
||||
return result.sigAlg(parameters.get(Saml2ParameterNames.SIG_ALG))
|
||||
.signature(parameters.get(Saml2ParameterNames.SIGNATURE)).build();
|
||||
}
|
||||
return result.build();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ import org.opensaml.saml.saml2.core.LogoutRequest;
|
|||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.TestOpenSamlObjects;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
|
|
@ -55,7 +56,7 @@ public class OpenSaml3LogoutResponseResolverTests {
|
|||
RelyingPartyRegistration registration = TestRelyingPartyRegistrations.relyingPartyRegistration().build();
|
||||
Authentication authentication = new TestingAuthenticationToken("user", "password");
|
||||
LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
|
||||
request.setParameter("SAMLRequest",
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST,
|
||||
Saml2Utils.samlEncode(OpenSamlSigningUtils.serialize(logoutRequest).getBytes()));
|
||||
given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
|
||||
Saml2LogoutResponse logoutResponse = logoutResponseResolver.resolve(request, authentication);
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
|
|||
|
||||
import org.springframework.core.convert.converter.Converter;
|
||||
import org.springframework.security.saml2.core.OpenSamlInitializationService;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.OpenSamlSigningUtils.QueryParametersPartial;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
|
|
@ -117,13 +118,14 @@ public final class OpenSaml4AuthenticationRequestFactory implements Saml2Authent
|
|||
String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
|
||||
result.samlRequest(deflatedAndEncoded).relayState(context.getRelayState());
|
||||
if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
|
||||
QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration).param("SAMLRequest",
|
||||
deflatedAndEncoded);
|
||||
QueryParametersPartial partial = OpenSamlSigningUtils.sign(registration)
|
||||
.param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded);
|
||||
if (StringUtils.hasText(context.getRelayState())) {
|
||||
partial.param("RelayState", context.getRelayState());
|
||||
partial.param(Saml2ParameterNames.RELAY_STATE, context.getRelayState());
|
||||
}
|
||||
Map<String, String> parameters = partial.parameters();
|
||||
return result.sigAlg(parameters.get("SigAlg")).signature(parameters.get("Signature")).build();
|
||||
return result.sigAlg(parameters.get(Saml2ParameterNames.SIG_ALG))
|
||||
.signature(parameters.get(Saml2ParameterNames.SIGNATURE)).build();
|
||||
}
|
||||
return result.build();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ import org.opensaml.saml.saml2.core.LogoutRequest;
|
|||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.TestOpenSamlObjects;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
|
|
@ -55,7 +56,7 @@ public class OpenSaml4LogoutResponseResolverTests {
|
|||
RelyingPartyRegistration registration = TestRelyingPartyRegistrations.relyingPartyRegistration().build();
|
||||
Authentication authentication = new TestingAuthenticationToken("user", "password");
|
||||
LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
|
||||
request.setParameter("SAMLRequest",
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST,
|
||||
Saml2Utils.samlEncode(OpenSamlSigningUtils.serialize(logoutRequest).getBytes()));
|
||||
given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
|
||||
Saml2LogoutResponse logoutResponse = logoutResponseResolver.resolve(request, authentication);
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ import org.opensaml.saml.saml2.core.LogoutRequest;
|
|||
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.core.Saml2ErrorCodes;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.core.TestSaml2X509Credentials;
|
||||
import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
|
||||
|
|
@ -156,7 +157,7 @@ public class OpenSamlLogoutRequestValidatorTests {
|
|||
private Saml2LogoutRequest redirect(LogoutRequest logoutRequest, RelyingPartyRegistration registration,
|
||||
QueryParametersPartial partial) {
|
||||
String serialized = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(serialize(logoutRequest)));
|
||||
Map<String, String> parameters = partial.param("SAMLRequest", serialized).parameters();
|
||||
Map<String, String> parameters = partial.param(Saml2ParameterNames.SAML_REQUEST, serialized).parameters();
|
||||
return Saml2LogoutRequest.withRelyingPartyRegistration(registration).samlRequest(serialized)
|
||||
.parameters((params) -> params.putAll(parameters)).build();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,6 +25,7 @@ import org.opensaml.saml.saml2.core.LogoutResponse;
|
|||
import org.opensaml.saml.saml2.core.StatusCode;
|
||||
|
||||
import org.springframework.security.saml2.core.Saml2ErrorCodes;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.core.TestSaml2X509Credentials;
|
||||
import org.springframework.security.saml2.provider.service.authentication.TestOpenSamlObjects;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial;
|
||||
|
|
@ -141,7 +142,7 @@ public class OpenSamlLogoutResponseValidatorTests {
|
|||
private Saml2LogoutResponse redirect(LogoutResponse logoutResponse, RelyingPartyRegistration registration,
|
||||
QueryParametersPartial partial) {
|
||||
String serialized = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(serialize(logoutResponse)));
|
||||
Map<String, String> parameters = partial.param("SAMLResponse", serialized).parameters();
|
||||
Map<String, String> parameters = partial.param(Saml2ParameterNames.SAML_RESPONSE, serialized).parameters();
|
||||
return Saml2LogoutResponse.withRelyingPartyRegistration(registration).samlResponse(serialized)
|
||||
.parameters((params) -> params.putAll(parameters)).build();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ import org.opensaml.xmlsec.signature.support.SignatureSupport;
|
|||
import org.w3c.dom.Element;
|
||||
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.util.Assert;
|
||||
|
|
@ -145,7 +146,7 @@ final class OpenSamlSigningUtils {
|
|||
SignatureSigningParameters parameters = resolveSigningParameters(this.registration);
|
||||
Credential credential = parameters.getSigningCredential();
|
||||
String algorithmUri = parameters.getSignatureAlgorithm();
|
||||
this.components.put("SigAlg", algorithmUri);
|
||||
this.components.put(Saml2ParameterNames.SIG_ALG, algorithmUri);
|
||||
UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
|
||||
for (Map.Entry<String, String> component : this.components.entrySet()) {
|
||||
builder.queryParam(component.getKey(),
|
||||
|
|
@ -156,7 +157,7 @@ final class OpenSamlSigningUtils {
|
|||
byte[] rawSignature = XMLSigningUtil.signWithURI(credential, algorithmUri,
|
||||
queryString.getBytes(StandardCharsets.UTF_8));
|
||||
String b64Signature = Saml2Utils.samlEncode(rawSignature);
|
||||
this.components.put("Signature", b64Signature);
|
||||
this.components.put(Saml2ParameterNames.SIGNATURE, b64Signature);
|
||||
}
|
||||
catch (SecurityException ex) {
|
||||
throw new Saml2Exception(ex);
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ import org.springframework.mock.web.MockHttpServletResponse;
|
|||
import org.springframework.security.authentication.AuthenticationManager;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
|
||||
import org.springframework.security.saml2.provider.service.authentication.TestSaml2AuthenticationTokens;
|
||||
|
|
@ -65,7 +66,7 @@ public class Saml2WebSsoAuthenticationFilterTests {
|
|||
public void setup() {
|
||||
this.filter = new Saml2WebSsoAuthenticationFilter(this.repository);
|
||||
this.request.setPathInfo("/login/saml2/sso/idp-registration-id");
|
||||
this.request.setParameter("SAMLResponse", "xml-data-goes-here");
|
||||
this.request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "xml-data-goes-here");
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -89,7 +90,7 @@ public class Saml2WebSsoAuthenticationFilterTests {
|
|||
public void requiresAuthenticationWhenCustomProcessingUrlThenReturnsTrue() {
|
||||
this.filter = new Saml2WebSsoAuthenticationFilter(this.repository, "/some/other/path/{registrationId}");
|
||||
this.request.setPathInfo("/some/other/path/idp-registration-id");
|
||||
this.request.setParameter("SAMLResponse", "xml-data-goes-here");
|
||||
this.request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "xml-data-goes-here");
|
||||
Assertions.assertTrue(this.filter.requiresAuthentication(this.request, this.response));
|
||||
}
|
||||
|
||||
|
|
@ -98,7 +99,7 @@ public class Saml2WebSsoAuthenticationFilterTests {
|
|||
given(this.repository.findByRegistrationId("non-existent-id")).willReturn(null);
|
||||
this.filter = new Saml2WebSsoAuthenticationFilter(this.repository, "/some/other/path/{registrationId}");
|
||||
this.request.setPathInfo("/some/other/path/non-existent-id");
|
||||
this.request.setParameter("SAMLResponse", "response");
|
||||
this.request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "response");
|
||||
assertThatExceptionOfType(Saml2AuthenticationException.class)
|
||||
.isThrownBy(() -> this.filter.attemptAuthentication(this.request, this.response))
|
||||
.withMessage("No relying party registration found");
|
||||
|
|
@ -161,7 +162,7 @@ public class Saml2WebSsoAuthenticationFilterTests {
|
|||
this.filter = new Saml2WebSsoAuthenticationFilter(authenticationConverter, loginProcessingUrl);
|
||||
this.filter.setAuthenticationManager(this.authenticationManager);
|
||||
this.request.setPathInfo("/registration-id/login/saml2/sso");
|
||||
this.request.setParameter("SAMLResponse", "response");
|
||||
this.request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "response");
|
||||
this.filter.doFilter(this.request, this.response, new MockFilterChain());
|
||||
verify(this.repository).findByRegistrationId("registration-id");
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ import org.junit.jupiter.api.BeforeEach;
|
|||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.credentials.TestSaml2X509Credentials;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestContext;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
|
|
@ -69,7 +70,7 @@ public class DefaultSaml2AuthenticationRequestContextResolverTests {
|
|||
|
||||
@Test
|
||||
public void resolveWhenRequestAndRelyingPartyNotNullThenCreateSaml2AuthenticationRequestContext() {
|
||||
this.request.addParameter("RelayState", "relay-state");
|
||||
this.request.addParameter(Saml2ParameterNames.RELAY_STATE, "relay-state");
|
||||
Saml2AuthenticationRequestContext context = this.authenticationRequestContextResolver.resolve(this.request);
|
||||
assertThat(context).isNotNull();
|
||||
assertThat(context.getAssertionConsumerServiceUrl()).isEqualTo(RELYING_PARTY_SSO_URL);
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@ import org.springframework.core.convert.converter.Converter;
|
|||
import org.springframework.core.io.ClassPathResource;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.security.saml2.core.Saml2ErrorCodes;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.core.Saml2Utils;
|
||||
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
|
||||
|
|
@ -63,7 +64,8 @@ public class Saml2AuthenticationTokenConverterTests {
|
|||
given(this.relyingPartyRegistrationResolver.convert(any(HttpServletRequest.class)))
|
||||
.willReturn(this.relyingPartyRegistration);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setParameter("SAMLResponse", Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
|
||||
request.setParameter(Saml2ParameterNames.SAML_RESPONSE,
|
||||
Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
|
||||
Saml2AuthenticationToken token = converter.convert(request);
|
||||
assertThat(token.getSaml2Response()).isEqualTo("response");
|
||||
assertThat(token.getRelyingPartyRegistration().getRegistrationId())
|
||||
|
|
@ -77,7 +79,7 @@ public class Saml2AuthenticationTokenConverterTests {
|
|||
given(this.relyingPartyRegistrationResolver.convert(any(HttpServletRequest.class)))
|
||||
.willReturn(this.relyingPartyRegistration);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setParameter("SAMLResponse", "invalid");
|
||||
request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "invalid");
|
||||
assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> converter.convert(request))
|
||||
.withCauseInstanceOf(IllegalArgumentException.class)
|
||||
.satisfies((ex) -> assertThat(ex.getSaml2Error().getErrorCode())
|
||||
|
|
@ -115,7 +117,7 @@ public class Saml2AuthenticationTokenConverterTests {
|
|||
request.setMethod("GET");
|
||||
byte[] deflated = Saml2Utils.samlDeflate("response");
|
||||
String encoded = Saml2Utils.samlEncode(deflated);
|
||||
request.setParameter("SAMLResponse", encoded);
|
||||
request.setParameter(Saml2ParameterNames.SAML_RESPONSE, encoded);
|
||||
Saml2AuthenticationToken token = converter.convert(request);
|
||||
assertThat(token.getSaml2Response()).isEqualTo("response");
|
||||
assertThat(token.getRelyingPartyRegistration().getRegistrationId())
|
||||
|
|
@ -132,7 +134,7 @@ public class Saml2AuthenticationTokenConverterTests {
|
|||
request.setMethod("GET");
|
||||
byte[] invalidDeflated = "invalid".getBytes();
|
||||
String encoded = Saml2Utils.samlEncode(invalidDeflated);
|
||||
request.setParameter("SAMLResponse", encoded);
|
||||
request.setParameter(Saml2ParameterNames.SAML_RESPONSE, encoded);
|
||||
assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> converter.convert(request))
|
||||
.withCauseInstanceOf(IOException.class)
|
||||
.satisfies((ex) -> assertThat(ex.getSaml2Error().getErrorCode())
|
||||
|
|
@ -148,7 +150,7 @@ public class Saml2AuthenticationTokenConverterTests {
|
|||
given(this.relyingPartyRegistrationResolver.convert(any(HttpServletRequest.class)))
|
||||
.willReturn(this.relyingPartyRegistration);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setParameter("SAMLResponse", getSsoCircleEncodedXml());
|
||||
request.setParameter(Saml2ParameterNames.SAML_RESPONSE, getSsoCircleEncodedXml());
|
||||
Saml2AuthenticationToken token = converter.convert(request);
|
||||
validateSsoCircleXml(token.getSaml2Response());
|
||||
}
|
||||
|
|
@ -166,7 +168,8 @@ public class Saml2AuthenticationTokenConverterTests {
|
|||
given(authenticationRequestRepository.loadAuthenticationRequest(any(HttpServletRequest.class)))
|
||||
.willReturn(authenticationRequest);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setParameter("SAMLResponse", Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
|
||||
request.setParameter(Saml2ParameterNames.SAML_RESPONSE,
|
||||
Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
|
||||
Saml2AuthenticationToken token = converter.convert(request);
|
||||
assertThat(token.getSaml2Response()).isEqualTo("response");
|
||||
assertThat(token.getRelyingPartyRegistration().getRegistrationId())
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ import org.junit.jupiter.api.Test;
|
|||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.mock.web.MockHttpSession;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations;
|
||||
|
|
@ -46,7 +47,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
|
|||
@Test
|
||||
public void loadLogoutRequestWhenNotSavedThenReturnNull() {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.addParameter("RelayState", "state-1234");
|
||||
request.addParameter(Saml2ParameterNames.RELAY_STATE, "state-1234");
|
||||
Saml2LogoutRequest logoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
|
||||
assertThat(logoutRequest).isNull();
|
||||
}
|
||||
|
|
@ -57,7 +58,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
|
|||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
Saml2LogoutRequest logoutRequest = createLogoutRequest().build();
|
||||
this.logoutRequestRepository.saveLogoutRequest(logoutRequest, request, response);
|
||||
request.addParameter("RelayState", logoutRequest.getRelayState());
|
||||
request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest.getRelayState());
|
||||
Saml2LogoutRequest loadedLogoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
|
||||
assertThat(loadedLogoutRequest).isEqualTo(logoutRequest);
|
||||
}
|
||||
|
|
@ -70,9 +71,9 @@ public class HttpSessionLogoutRequestRepositoryTests {
|
|||
this.logoutRequestRepository.saveLogoutRequest(one, request, response);
|
||||
Saml2LogoutRequest two = createLogoutRequest().relayState("state-3344").build();
|
||||
this.logoutRequestRepository.saveLogoutRequest(two, request, response);
|
||||
request.setParameter("RelayState", one.getRelayState());
|
||||
request.setParameter(Saml2ParameterNames.RELAY_STATE, one.getRelayState());
|
||||
assertThat(this.logoutRequestRepository.loadLogoutRequest(request)).isNull();
|
||||
request.setParameter("RelayState", two.getRelayState());
|
||||
request.setParameter(Saml2ParameterNames.RELAY_STATE, two.getRelayState());
|
||||
assertThat(this.logoutRequestRepository.loadLogoutRequest(request)).isEqualTo(two);
|
||||
}
|
||||
|
||||
|
|
@ -110,7 +111,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
|
|||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
Saml2LogoutRequest logoutRequest = createLogoutRequest().build();
|
||||
this.logoutRequestRepository.saveLogoutRequest(logoutRequest, request, new MockHttpServletResponse());
|
||||
request.addParameter("RelayState", logoutRequest.getRelayState());
|
||||
request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest.getRelayState());
|
||||
Saml2LogoutRequest loadedLogoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
|
||||
assertThat(loadedLogoutRequest).isEqualTo(logoutRequest);
|
||||
}
|
||||
|
|
@ -121,7 +122,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
|
|||
request.setSession(new MockDistributedHttpSession());
|
||||
Saml2LogoutRequest logoutRequest = createLogoutRequest().build();
|
||||
this.logoutRequestRepository.saveLogoutRequest(logoutRequest, request, new MockHttpServletResponse());
|
||||
request.addParameter("RelayState", logoutRequest.getRelayState());
|
||||
request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest.getRelayState());
|
||||
Saml2LogoutRequest loadedLogoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
|
||||
assertThat(loadedLogoutRequest).isEqualTo(logoutRequest);
|
||||
}
|
||||
|
|
@ -134,7 +135,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
|
|||
this.logoutRequestRepository.saveLogoutRequest(logoutRequest1, request, new MockHttpServletResponse());
|
||||
Saml2LogoutRequest logoutRequest2 = createLogoutRequest().build();
|
||||
this.logoutRequestRepository.saveLogoutRequest(logoutRequest2, request, new MockHttpServletResponse());
|
||||
request.addParameter("RelayState", logoutRequest2.getRelayState());
|
||||
request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest2.getRelayState());
|
||||
Saml2LogoutRequest loadedLogoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
|
||||
assertThat(loadedLogoutRequest).isEqualTo(logoutRequest2);
|
||||
}
|
||||
|
|
@ -145,7 +146,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
|
|||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
Saml2LogoutRequest logoutRequest = createLogoutRequest().build();
|
||||
this.logoutRequestRepository.saveLogoutRequest(logoutRequest, request, response);
|
||||
request.addParameter("RelayState", logoutRequest.getRelayState());
|
||||
request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest.getRelayState());
|
||||
this.logoutRequestRepository.saveLogoutRequest(null, request, response);
|
||||
Saml2LogoutRequest loadedLogoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
|
||||
assertThat(loadedLogoutRequest).isNull();
|
||||
|
|
@ -169,7 +170,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
|
|||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
Saml2LogoutRequest logoutRequest = createLogoutRequest().build();
|
||||
this.logoutRequestRepository.saveLogoutRequest(logoutRequest, request, response);
|
||||
request.addParameter("RelayState", logoutRequest.getRelayState());
|
||||
request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest.getRelayState());
|
||||
Saml2LogoutRequest removedLogoutRequest = this.logoutRequestRepository.removeLogoutRequest(request, response);
|
||||
Saml2LogoutRequest loadedLogoutRequest = this.logoutRequestRepository.loadLogoutRequest(request);
|
||||
assertThat(removedLogoutRequest).isNotNull();
|
||||
|
|
@ -183,7 +184,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
|
|||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
Saml2LogoutRequest logoutRequest = createLogoutRequest().build();
|
||||
this.logoutRequestRepository.saveLogoutRequest(logoutRequest, request, response);
|
||||
request.addParameter("RelayState", logoutRequest.getRelayState());
|
||||
request.addParameter(Saml2ParameterNames.RELAY_STATE, logoutRequest.getRelayState());
|
||||
Saml2LogoutRequest removedLogoutRequest = this.logoutRequestRepository.removeLogoutRequest(request, response);
|
||||
String sessionAttributeName = HttpSessionLogoutRequestRepository.class.getName() + ".AUTHORIZATION_REQUEST";
|
||||
assertThat(removedLogoutRequest).isNotNull();
|
||||
|
|
@ -193,7 +194,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
|
|||
@Test
|
||||
public void removeLogoutRequestWhenNotSavedThenNotRemoved() {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.addParameter("RelayState", "state-1234");
|
||||
request.addParameter(Saml2ParameterNames.RELAY_STATE, "state-1234");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
Saml2LogoutRequest removedLogoutRequest = this.logoutRequestRepository.removeLogoutRequest(request, response);
|
||||
assertThat(removedLogoutRequest).isNull();
|
||||
|
|
@ -202,7 +203,7 @@ public class HttpSessionLogoutRequestRepositoryTests {
|
|||
private Saml2LogoutRequest.Builder createLogoutRequest() {
|
||||
RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full().build();
|
||||
return Saml2LogoutRequest.withRelyingPartyRegistration(registration).samlRequest("request").id("id")
|
||||
.parameters((params) -> params.put("RelayState", "state-1234"));
|
||||
.parameters((params) -> params.put(Saml2ParameterNames.RELAY_STATE, "state-1234"));
|
||||
}
|
||||
|
||||
static class MockDistributedHttpSession extends MockHttpSession {
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ import org.w3c.dom.Element;
|
|||
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
|
|
@ -63,9 +64,9 @@ public class OpenSamlLogoutRequestResolverTests {
|
|||
HttpServletRequest request = new MockHttpServletRequest();
|
||||
given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
|
||||
Saml2LogoutRequest saml2LogoutRequest = this.logoutRequestResolver.resolve(request, authentication);
|
||||
assertThat(saml2LogoutRequest.getParameter("SigAlg")).isNotNull();
|
||||
assertThat(saml2LogoutRequest.getParameter("Signature")).isNotNull();
|
||||
assertThat(saml2LogoutRequest.getParameter("RelayState")).isNotNull();
|
||||
assertThat(saml2LogoutRequest.getParameter(Saml2ParameterNames.SIG_ALG)).isNotNull();
|
||||
assertThat(saml2LogoutRequest.getParameter(Saml2ParameterNames.SIGNATURE)).isNotNull();
|
||||
assertThat(saml2LogoutRequest.getParameter(Saml2ParameterNames.RELAY_STATE)).isNotNull();
|
||||
Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleLogoutServiceBinding();
|
||||
LogoutRequest logoutRequest = getLogoutRequest(saml2LogoutRequest.getSamlRequest(), binding);
|
||||
assertThat(logoutRequest.getNameID().getValue()).isEqualTo(authentication.getName());
|
||||
|
|
@ -79,9 +80,9 @@ public class OpenSamlLogoutRequestResolverTests {
|
|||
HttpServletRequest request = new MockHttpServletRequest();
|
||||
given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
|
||||
Saml2LogoutRequest saml2LogoutRequest = this.logoutRequestResolver.resolve(request, authentication);
|
||||
assertThat(saml2LogoutRequest.getParameter("SigAlg")).isNull();
|
||||
assertThat(saml2LogoutRequest.getParameter("Signature")).isNull();
|
||||
assertThat(saml2LogoutRequest.getParameter("RelayState")).isNotNull();
|
||||
assertThat(saml2LogoutRequest.getParameter(Saml2ParameterNames.SIG_ALG)).isNull();
|
||||
assertThat(saml2LogoutRequest.getParameter(Saml2ParameterNames.SIGNATURE)).isNull();
|
||||
assertThat(saml2LogoutRequest.getParameter(Saml2ParameterNames.RELAY_STATE)).isNotNull();
|
||||
Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleLogoutServiceBinding();
|
||||
LogoutRequest logoutRequest = getLogoutRequest(saml2LogoutRequest.getSamlRequest(), binding);
|
||||
assertThat(logoutRequest.getNameID().getValue()).isEqualTo(authentication.getName());
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ import org.w3c.dom.Element;
|
|||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
|
||||
import org.springframework.security.saml2.provider.service.authentication.TestOpenSamlObjects;
|
||||
|
|
@ -63,15 +64,15 @@ public class OpenSamlLogoutResponseResolverTests {
|
|||
RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full().build();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
|
||||
request.setParameter("SAMLRequest",
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST,
|
||||
Saml2Utils.samlEncode(OpenSamlSigningUtils.serialize(logoutRequest).getBytes()));
|
||||
request.setParameter("RelayState", "abcd");
|
||||
request.setParameter(Saml2ParameterNames.RELAY_STATE, "abcd");
|
||||
Authentication authentication = authentication(registration);
|
||||
given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
|
||||
Saml2LogoutResponse saml2LogoutResponse = this.logoutResponseResolver.resolve(request, authentication);
|
||||
assertThat(saml2LogoutResponse.getParameter("SigAlg")).isNotNull();
|
||||
assertThat(saml2LogoutResponse.getParameter("Signature")).isNotNull();
|
||||
assertThat(saml2LogoutResponse.getParameter("RelayState")).isSameAs("abcd");
|
||||
assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIG_ALG)).isNotNull();
|
||||
assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIGNATURE)).isNotNull();
|
||||
assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.RELAY_STATE)).isSameAs("abcd");
|
||||
Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleLogoutServiceBinding();
|
||||
LogoutResponse logoutResponse = getLogoutResponse(saml2LogoutResponse.getSamlResponse(), binding);
|
||||
assertThat(logoutResponse.getStatus().getStatusCode().getValue()).isEqualTo(StatusCode.SUCCESS);
|
||||
|
|
@ -83,15 +84,15 @@ public class OpenSamlLogoutResponseResolverTests {
|
|||
.assertingPartyDetails((party) -> party.singleLogoutServiceBinding(Saml2MessageBinding.POST)).build();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
|
||||
request.setParameter("SAMLRequest",
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST,
|
||||
Saml2Utils.samlEncode(OpenSamlSigningUtils.serialize(logoutRequest).getBytes()));
|
||||
request.setParameter("RelayState", "abcd");
|
||||
request.setParameter(Saml2ParameterNames.RELAY_STATE, "abcd");
|
||||
Authentication authentication = authentication(registration);
|
||||
given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
|
||||
Saml2LogoutResponse saml2LogoutResponse = this.logoutResponseResolver.resolve(request, authentication);
|
||||
assertThat(saml2LogoutResponse.getParameter("SigAlg")).isNull();
|
||||
assertThat(saml2LogoutResponse.getParameter("Signature")).isNull();
|
||||
assertThat(saml2LogoutResponse.getParameter("RelayState")).isSameAs("abcd");
|
||||
assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIG_ALG)).isNull();
|
||||
assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIGNATURE)).isNull();
|
||||
assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.RELAY_STATE)).isSameAs("abcd");
|
||||
Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleLogoutServiceBinding();
|
||||
LogoutResponse logoutResponse = getLogoutResponse(saml2LogoutResponse.getSamlResponse(), binding);
|
||||
assertThat(logoutResponse.getStatus().getStatusCode().getValue()).isEqualTo(StatusCode.SUCCESS);
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
|
|||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.saml2.core.Saml2Error;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult;
|
||||
|
|
@ -71,7 +72,7 @@ public class Saml2LogoutRequestFilterTests {
|
|||
SecurityContextHolder.getContext().setAuthentication(authentication);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout/saml2/slo");
|
||||
request.setServletPath("/logout/saml2/slo");
|
||||
request.setParameter("SAMLRequest", "request");
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST, "request");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
|
||||
given(this.logoutRequestValidator.validate(any())).willReturn(Saml2LogoutValidatorResult.success());
|
||||
|
|
@ -83,7 +84,7 @@ public class Saml2LogoutRequestFilterTests {
|
|||
verify(this.logoutHandler).logout(any(), any(), any());
|
||||
verify(this.logoutResponseResolver).resolve(any(), any());
|
||||
String content = response.getHeader("Location");
|
||||
assertThat(content).contains("SAMLResponse");
|
||||
assertThat(content).contains(Saml2ParameterNames.SAML_RESPONSE);
|
||||
assertThat(content)
|
||||
.startsWith(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation());
|
||||
}
|
||||
|
|
@ -96,7 +97,7 @@ public class Saml2LogoutRequestFilterTests {
|
|||
SecurityContextHolder.getContext().setAuthentication(authentication);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout/saml2/slo");
|
||||
request.setServletPath("/logout/saml2/slo");
|
||||
request.setParameter("SAMLRequest", "request");
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST, "request");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
|
||||
given(this.logoutRequestValidator.validate(any())).willReturn(Saml2LogoutValidatorResult.success());
|
||||
|
|
@ -108,7 +109,7 @@ public class Saml2LogoutRequestFilterTests {
|
|||
verify(this.logoutHandler).logout(any(), any(), any());
|
||||
verify(this.logoutResponseResolver).resolve(any(), any());
|
||||
String content = response.getContentAsString();
|
||||
assertThat(content).contains("SAMLResponse");
|
||||
assertThat(content).contains(Saml2ParameterNames.SAML_RESPONSE);
|
||||
assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation());
|
||||
}
|
||||
|
||||
|
|
@ -118,7 +119,7 @@ public class Saml2LogoutRequestFilterTests {
|
|||
SecurityContextHolder.getContext().setAuthentication(authentication);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout");
|
||||
request.setServletPath("/logout");
|
||||
request.setParameter("SAMLResponse", "response");
|
||||
request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "response");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
this.logoutRequestProcessingFilter.doFilterInternal(request, response, new MockFilterChain());
|
||||
verifyNoInteractions(this.logoutRequestValidator, this.logoutHandler);
|
||||
|
|
@ -142,7 +143,7 @@ public class Saml2LogoutRequestFilterTests {
|
|||
SecurityContextHolder.getContext().setAuthentication(authentication);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout/saml2/slo");
|
||||
request.setServletPath("/logout/saml2/slo");
|
||||
request.setParameter("SAMLRequest", "request");
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST, "request");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
given(this.relyingPartyRegistrationResolver.resolve(request, null)).willReturn(registration);
|
||||
given(this.logoutRequestValidator.validate(any()))
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
|
|||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.saml2.core.Saml2Error;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidator;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult;
|
||||
|
|
@ -74,7 +75,7 @@ public class Saml2LogoutResponseFilterTests {
|
|||
SecurityContextHolder.getContext().setAuthentication(authentication);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout/saml2/slo");
|
||||
request.setServletPath("/logout/saml2/slo");
|
||||
request.setParameter("SAMLResponse", "response");
|
||||
request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "response");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full().build();
|
||||
given(this.relyingPartyRegistrationResolver.resolve(request, "registration-id")).willReturn(registration);
|
||||
|
|
@ -93,7 +94,7 @@ public class Saml2LogoutResponseFilterTests {
|
|||
SecurityContextHolder.getContext().setAuthentication(authentication);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/logout/saml2/slo");
|
||||
request.setServletPath("/logout/saml2/slo");
|
||||
request.setParameter("SAMLResponse", "response");
|
||||
request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "response");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full()
|
||||
.singleLogoutServiceBinding(Saml2MessageBinding.REDIRECT).build();
|
||||
|
|
@ -113,7 +114,7 @@ public class Saml2LogoutResponseFilterTests {
|
|||
SecurityContextHolder.getContext().setAuthentication(authentication);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout");
|
||||
request.setServletPath("/logout");
|
||||
request.setParameter("SAMLRequest", "request");
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST, "request");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
this.logoutResponseProcessingFilter.doFilterInternal(request, response, new MockFilterChain());
|
||||
verifyNoInteractions(this.logoutResponseValidator, this.logoutSuccessHandler);
|
||||
|
|
@ -136,7 +137,7 @@ public class Saml2LogoutResponseFilterTests {
|
|||
SecurityContextHolder.getContext().setAuthentication(authentication);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", "/logout/saml2/slo");
|
||||
request.setServletPath("/logout/saml2/slo");
|
||||
request.setParameter("SAMLResponse", "response");
|
||||
request.setParameter(Saml2ParameterNames.SAML_RESPONSE, "response");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full().build();
|
||||
given(this.relyingPartyRegistrationResolver.resolve(request, "registration-id")).willReturn(registration);
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ import org.springframework.mock.web.MockHttpServletRequest;
|
|||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
|
|
@ -76,7 +77,7 @@ public class Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests {
|
|||
given(this.logoutRequestResolver.resolve(any(), any())).willReturn(logoutRequest);
|
||||
this.logoutRequestSuccessHandler.onLogoutSuccess(request, response, authentication);
|
||||
String content = response.getHeader("Location");
|
||||
assertThat(content).contains("SAMLRequest");
|
||||
assertThat(content).contains(Saml2ParameterNames.SAML_REQUEST);
|
||||
assertThat(content).startsWith(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
|
||||
}
|
||||
|
||||
|
|
@ -94,7 +95,7 @@ public class Saml2RelyingPartyInitiatedLogoutSuccessHandlerTests {
|
|||
given(this.logoutRequestResolver.resolve(any(), any())).willReturn(logoutRequest);
|
||||
this.logoutRequestSuccessHandler.onLogoutSuccess(request, response, authentication);
|
||||
String content = response.getContentAsString();
|
||||
assertThat(content).contains("SAMLRequest");
|
||||
assertThat(content).contains(Saml2ParameterNames.SAML_REQUEST);
|
||||
assertThat(content).contains(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue