diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java index d617fdafc1..a923760be1 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java @@ -118,27 +118,15 @@ public final class OpenSamlInitializationService { private static boolean initialize(Consumer registryConsumer) { if (initialized.compareAndSet(false, true)) { log.trace("Initializing OpenSAML"); - try { InitializationService.initialize(); } catch (Exception ex) { throw new Saml2Exception(ex); } - BasicParserPool parserPool = new BasicParserPool(); parserPool.setMaxPoolSize(50); - - Map parserBuilderFeatures = new HashMap<>(); - parserBuilderFeatures.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE); - parserBuilderFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); - parserBuilderFeatures.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE); - parserBuilderFeatures.put("http://apache.org/xml/features/validation/schema/normalized-value", - Boolean.FALSE); - parserBuilderFeatures.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE); - parserBuilderFeatures.put("http://apache.org/xml/features/dom/defer-node-expansion", Boolean.FALSE); - parserPool.setBuilderFeatures(parserBuilderFeatures); - + parserPool.setBuilderFeatures(getParserBuilderFeatures()); try { parserPool.initialize(); } @@ -146,16 +134,23 @@ public final class OpenSamlInitializationService { throw new Saml2Exception(ex); } XMLObjectProviderRegistrySupport.setParserPool(parserPool); - registryConsumer.accept(ConfigurationService.get(XMLObjectProviderRegistry.class)); - log.debug("Initialized OpenSAML"); return true; } - else { - log.debug("Refused to re-initialize OpenSAML"); - return false; - } + log.debug("Refused to re-initialize OpenSAML"); + return false; + } + + private static Map getParserBuilderFeatures() { + Map parserBuilderFeatures = new HashMap<>(); + parserBuilderFeatures.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE); + parserBuilderFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + parserBuilderFeatures.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE); + parserBuilderFeatures.put("http://apache.org/xml/features/validation/schema/normalized-value", Boolean.FALSE); + parserBuilderFeatures.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE); + parserBuilderFeatures.put("http://apache.org/xml/features/dom/defer-node-expansion", Boolean.FALSE); + return parserBuilderFeatures; } } diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2X509Credential.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2X509Credential.java index 170739cee6..4fde34733c 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2X509Credential.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2X509Credential.java @@ -37,12 +37,6 @@ import org.springframework.util.Assert; */ public final class Saml2X509Credential { - public enum Saml2X509CredentialType { - - VERIFICATION, ENCRYPTION, SIGNING, DECRYPTION, - - } - private final PrivateKey privateKey; private final X509Certificate certificate; @@ -225,4 +219,16 @@ public final class Saml2X509Credential { } } + public enum Saml2X509CredentialType { + + VERIFICATION, + + ENCRYPTION, + + SIGNING, + + DECRYPTION, + + } + } diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/credentials/Saml2X509Credential.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/credentials/Saml2X509Credential.java index f139890141..0649f09e3d 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/credentials/Saml2X509Credential.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/credentials/Saml2X509Credential.java @@ -39,18 +39,6 @@ import org.springframework.util.Assert; @Deprecated public class Saml2X509Credential { - /** - * @deprecated Use - * {@link org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType} - * instead - */ - @Deprecated - public enum Saml2X509CredentialType { - - VERIFICATION, ENCRYPTION, SIGNING, DECRYPTION, - - } - private final PrivateKey privateKey; private final X509Certificate certificate; @@ -199,4 +187,22 @@ public class Saml2X509Credential { } } + /** + * @deprecated Use + * {@link org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType} + * instead + */ + @Deprecated + public enum Saml2X509CredentialType { + + VERIFICATION, + + ENCRYPTION, + + SIGNING, + + DECRYPTION, + + } + } diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/DefaultSaml2AuthenticatedPrincipal.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/DefaultSaml2AuthenticatedPrincipal.java index b282f581db..8e1ac9270b 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/DefaultSaml2AuthenticatedPrincipal.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/DefaultSaml2AuthenticatedPrincipal.java @@ -37,7 +37,6 @@ public class DefaultSaml2AuthenticatedPrincipal implements Saml2AuthenticatedPri public DefaultSaml2AuthenticatedPrincipal(String name, Map> attributes) { Assert.notNull(name, "name cannot be null"); Assert.notNull(attributes, "attributes cannot be null"); - this.name = name; this.attributes = attributes; } diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java index 3c1f122d1a..796c006402 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java @@ -100,6 +100,7 @@ import org.w3c.dom.Document; import org.w3c.dom.Element; import org.springframework.core.convert.converter.Converter; +import org.springframework.core.log.LogMessage; import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.core.Authentication; @@ -182,24 +183,16 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi private Duration responseTimeValidationSkew = Duration.ofMinutes(5); - private Function> authenticationConverter = ( - token) -> (response) -> { - Assertion assertion = CollectionUtils.firstElement(response.getAssertions()); - String username = assertion.getSubject().getNameID().getValue(); - Map> attributes = getAssertionAttributes(assertion); - return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes), - token.getSaml2Response(), - this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion))); - }; + private Function> authenticationConverter = this::getAuthenticationConverter; private Converter signatureTrustEngineConverter = new SignatureTrustEngineConverter(); - private Converter assertionValidatorConverter = new SAML20AssertionValidatorConverter(); + private Converter assertionValidatorConverter = new SAML20AssertionValidatorConverter(); private Collection conditionValidators = Collections .singleton(new AudienceRestrictionConditionValidator()); - private Converter validationContextConverter = new ValidationContextConverter(); + private Converter validationContextConverter = new ValidationContextConverter(); private Converter decrypterConverter = new DecrypterConverter(); @@ -220,7 +213,6 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi * @since 5.4 */ public void setConditionValidators(Collection conditionValidators) { - Assert.notEmpty(conditionValidators, "conditionValidators cannot be empty"); this.conditionValidators = conditionValidators; } @@ -231,8 +223,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi * @param validationContextConverter the strategy to use * @since 5.4 */ - public void setValidationContextConverter(Converter validationContextConverter) { - + public void setValidationContextConverter( + Converter validationContextConverter) { Assert.notNull(validationContextConverter, "validationContextConverter cannot be empty"); this.validationContextConverter = validationContextConverter; } @@ -289,13 +281,10 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi throw ex; } catch (Exception ex) { - throw authException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, ex.getMessage(), ex); + throw createAuthenticationException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, ex.getMessage(), ex); } } - /** - * {@inheritDoc} - */ @Override public boolean supports(Class authentication) { return authentication != null && Saml2AuthenticationToken.class.isAssignableFrom(authentication); @@ -313,39 +302,32 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi return (Response) this.responseUnmarshaller.unmarshall(element); } catch (Exception ex) { - throw authException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, ex.getMessage(), ex); + throw createAuthenticationException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, ex.getMessage(), ex); } } private void process(Saml2AuthenticationToken token, Response response) { String issuer = response.getIssuer().getValue(); - if (logger.isDebugEnabled()) { - logger.debug("Processing SAML response from " + issuer); - } - + logger.debug(LogMessage.format("Processing SAML response from %s", issuer)); boolean responseSigned = response.isSigned(); Map validationExceptions = validateResponse(token, response); - Decrypter decrypter = this.decrypterConverter.convert(token); List assertions = decryptAssertions(decrypter, response); if (!isSigned(responseSigned, assertions)) { - throw authException(Saml2ErrorCodes.INVALID_SIGNATURE, - "Either the response or one of the assertions is unsigned. " - + "Please either sign the response or all of the assertions."); + String description = "Either the response or one of the assertions is unsigned. " + + "Please either sign the response or all of the assertions."; + throw createAuthenticationException(Saml2ErrorCodes.INVALID_SIGNATURE, description, null); } validationExceptions.putAll(validateAssertions(token, response)); - Assertion firstAssertion = CollectionUtils.firstElement(response.getAssertions()); NameID nameId = decryptPrincipal(decrypter, firstAssertion); if (nameId == null || nameId.getValue() == null) { - validationExceptions.put(Saml2ErrorCodes.SUBJECT_NOT_FOUND, authException(Saml2ErrorCodes.SUBJECT_NOT_FOUND, - "Assertion [" + firstAssertion.getID() + "] is missing a subject")); + String description = "Assertion [" + firstAssertion.getID() + "] is missing a subject"; + validationExceptions.put(Saml2ErrorCodes.SUBJECT_NOT_FOUND, + createAuthenticationException(Saml2ErrorCodes.SUBJECT_NOT_FOUND, description, null)); } - if (validationExceptions.isEmpty()) { - if (logger.isDebugEnabled()) { - logger.debug("Successfully processed SAML Response [" + response.getID() + "]"); - } + logger.debug(LogMessage.of(() -> "Successfully processed SAML Response [" + response.getID() + "]")); } else { if (logger.isTraceEnabled()) { @@ -357,7 +339,6 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi + response.getID() + "]"); } } - if (!validationExceptions.isEmpty()) { throw validationExceptions.values().iterator().next(); } @@ -365,21 +346,17 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi private Map validateResponse(Saml2AuthenticationToken token, Response response) { - - Map validationExceptions = new HashMap<>(); + Map exceptions = new HashMap<>(); String issuer = response.getIssuer().getValue(); - if (response.isSigned()) { SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); try { profileValidator.validate(response.getSignature()); } catch (Exception ex) { - validationExceptions.put(Saml2ErrorCodes.INVALID_SIGNATURE, - authException(Saml2ErrorCodes.INVALID_SIGNATURE, - "Invalid signature for SAML Response [" + response.getID() + "]: ", ex)); + String message = "Invalid signature for SAML Response [" + response.getID() + "]: "; + addValidationException(exceptions, Saml2ErrorCodes.INVALID_SIGNATURE, message, ex); } - try { CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new EvaluableEntityIDCredentialCriterion(new EntityIdCriterion(issuer))); @@ -387,34 +364,27 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi new EvaluableProtocolRoleDescriptorCriterion(new ProtocolCriterion(SAMLConstants.SAML20P_NS))); criteriaSet.add(new EvaluableUsageCredentialCriterion(new UsageCriterion(UsageType.SIGNING))); if (!this.signatureTrustEngineConverter.convert(token).validate(response.getSignature(), criteriaSet)) { - validationExceptions.put(Saml2ErrorCodes.INVALID_SIGNATURE, - authException(Saml2ErrorCodes.INVALID_SIGNATURE, - "Invalid signature for SAML Response [" + response.getID() + "]")); + String message = "Invalid signature for SAML Response [" + response.getID() + "]"; + addValidationException(exceptions, Saml2ErrorCodes.INVALID_SIGNATURE, message, null); } } catch (Exception ex) { - validationExceptions.put(Saml2ErrorCodes.INVALID_SIGNATURE, - authException(Saml2ErrorCodes.INVALID_SIGNATURE, - "Invalid signature for SAML Response [" + response.getID() + "]: ", ex)); + String message = "Invalid signature for SAML Response [" + response.getID() + "]: "; + addValidationException(exceptions, Saml2ErrorCodes.INVALID_SIGNATURE, message, ex); } } - String destination = response.getDestination(); String location = token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation(); if (StringUtils.hasText(destination) && !destination.equals(location)) { String message = "Invalid destination [" + destination + "] for SAML response [" + response.getID() + "]"; - validationExceptions.put(Saml2ErrorCodes.INVALID_DESTINATION, - authException(Saml2ErrorCodes.INVALID_DESTINATION, message)); + addValidationException(exceptions, Saml2ErrorCodes.INVALID_DESTINATION, message, null); } - String assertingPartyEntityId = token.getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId(); if (!StringUtils.hasText(issuer) || !issuer.equals(assertingPartyEntityId)) { String message = String.format("Invalid issuer [%s] for SAML response [%s]", issuer, response.getID()); - validationExceptions.put(Saml2ErrorCodes.INVALID_ISSUER, - authException(Saml2ErrorCodes.INVALID_ISSUER, message)); + addValidationException(exceptions, Saml2ErrorCodes.INVALID_ISSUER, message, null); } - - return validationExceptions; + return exceptions; } private List decryptAssertions(Decrypter decrypter, Response response) { @@ -425,7 +395,7 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi assertions.add(assertion); } catch (DecryptionException ex) { - throw authException(Saml2ErrorCodes.DECRYPTION_ERROR, ex.getMessage(), ex); + throw createAuthenticationException(Saml2ErrorCodes.DECRYPTION_ERROR, ex.getMessage(), ex); } } response.getAssertions().addAll(assertions); @@ -436,52 +406,47 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi Response response) { List assertions = response.getAssertions(); if (assertions.isEmpty()) { - throw authException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, "No assertions found in response."); + throw createAuthenticationException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, + "No assertions found in response.", null); } - - Map validationExceptions = new LinkedHashMap<>(); - if (logger.isDebugEnabled()) { - logger.debug("Validating " + assertions.size() + " assertions"); - } - - Tuple tuple = new Tuple(token, response); + Map exceptions = new LinkedHashMap<>(); + logger.debug(LogMessage.format("Validating %s assertions", assertions.size())); + TokenAndResponse tuple = new TokenAndResponse(token, response); SAML20AssertionValidator validator = this.assertionValidatorConverter.convert(tuple); ValidationContext context = this.validationContextConverter.convert(tuple); for (Assertion assertion : assertions) { - if (logger.isTraceEnabled()) { - logger.trace("Validating assertion " + assertion.getID()); - } + logger.trace(LogMessage.format("Validating assertion %s", assertion.getID())); try { if (validator.validate(assertion, context) != ValidationResult.VALID) { String message = String.format("Invalid assertion [%s] for SAML response [%s]: %s", assertion.getID(), ((Response) assertion.getParent()).getID(), context.getValidationFailureMessage()); - validationExceptions.put(Saml2ErrorCodes.INVALID_ASSERTION, - authException(Saml2ErrorCodes.INVALID_ASSERTION, message)); + addValidationException(exceptions, Saml2ErrorCodes.INVALID_ASSERTION, message, null); } } catch (Exception ex) { String message = String.format("Invalid assertion [%s] for SAML response [%s]: %s", assertion.getID(), ((Response) assertion.getParent()).getID(), ex.getMessage()); - validationExceptions.put(Saml2ErrorCodes.INVALID_ASSERTION, - authException(Saml2ErrorCodes.INVALID_ASSERTION, message, ex)); + addValidationException(exceptions, Saml2ErrorCodes.INVALID_ASSERTION, message, ex); } } + return exceptions; + } - return validationExceptions; + private void addValidationException(Map exceptions, String code, + String message, Exception cause) { + exceptions.put(code, createAuthenticationException(code, message, cause)); } private boolean isSigned(boolean responseSigned, List assertions) { if (responseSigned) { return true; } - for (Assertion assertion : assertions) { if (!assertion.isSigned()) { return false; } } - return true; } @@ -498,7 +463,7 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi return nameId; } catch (DecryptionException ex) { - throw authException(Saml2ErrorCodes.DECRYPTION_ERROR, ex.getMessage(), ex); + throw createAuthenticationException(Saml2ErrorCodes.DECRYPTION_ERROR, ex.getMessage(), ex); } } @@ -506,7 +471,6 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi Map> attributeMap = new LinkedHashMap<>(); for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) { for (Attribute attribute : attributeStatement.getAttributes()) { - List attributeValues = new ArrayList<>(); for (XMLObject xmlObject : attribute.getAttributeValues()) { Object attributeValue = getXmlObjectValue(xmlObject); @@ -515,7 +479,6 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi } } attributeMap.put(attribute.getName(), attributeValues); - } } return attributeMap; @@ -559,20 +522,22 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi return xsAny.getTextContent(); } - private static Saml2Error validationError(String code, String description) { - return new Saml2Error(code, description); + private Converter getAuthenticationConverter( + Saml2AuthenticationToken token) { + return (response) -> convertAuthenticationToken(token, response); } - private static Saml2AuthenticationException authException(String code, String description) - throws Saml2AuthenticationException { - - return new Saml2AuthenticationException(validationError(code, description)); + private AbstractAuthenticationToken convertAuthenticationToken(Saml2AuthenticationToken token, Response response) { + Assertion assertion = CollectionUtils.firstElement(response.getAssertions()); + String username = assertion.getSubject().getNameID().getValue(); + Map> attributes = getAssertionAttributes(assertion); + return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes), + token.getSaml2Response(), this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion))); } - private static Saml2AuthenticationException authException(String code, String description, Exception cause) - throws Saml2AuthenticationException { - - return new Saml2AuthenticationException(validationError(code, description), cause); + private static Saml2AuthenticationException createAuthenticationException(String code, String message, + Exception cause) { + return new Saml2AuthenticationException(new Saml2Error(code, message), cause); } private static class SignatureTrustEngineConverter @@ -596,10 +561,10 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi } - private class ValidationContextConverter implements Converter { + private class ValidationContextConverter implements Converter { @Override - public ValidationContext convert(Tuple tuple) { + public ValidationContext convert(TokenAndResponse tuple) { String audience = tuple.authentication.getRelyingPartyRegistration().getEntityId(); String recipient = tuple.authentication.getRelyingPartyRegistration().getAssertionConsumerServiceLocation(); Map params = new HashMap<>(); @@ -607,17 +572,14 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi OpenSamlAuthenticationProvider.this.responseTimeValidationSkew.toMillis()); params.put(SAML2AssertionValidationParameters.COND_VALID_AUDIENCES, Collections.singleton(audience)); params.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, Collections.singleton(recipient)); - params.put(SAML2AssertionValidationParameters.SIGNATURE_REQUIRED, false); // this - // verification - // is - // performed - // earlier + // this verification is performed earlier + params.put(SAML2AssertionValidationParameters.SIGNATURE_REQUIRED, false); return new ValidationContext(params); } } - private class SAML20AssertionValidatorConverter implements Converter { + private class SAML20AssertionValidatorConverter implements Converter { private final Collection subjects = new ArrayList<>(); @@ -638,7 +600,7 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi } @Override - public SAML20AssertionValidator convert(Tuple tuple) { + public SAML20AssertionValidator convert(TokenAndResponse tuple) { Collection conditions = OpenSamlAuthenticationProvider.this.conditionValidators; return new SAML20AssertionValidator(conditions, this.subjects, this.statements, OpenSamlAuthenticationProvider.this.signatureTrustEngineConverter.convert(tuple.authentication), @@ -674,13 +636,13 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi * * @since 5.4 */ - public static final class Tuple { + public static final class TokenAndResponse { private final Saml2AuthenticationToken authentication; private final Response response; - private Tuple(Saml2AuthenticationToken authentication, Response response) { + private TokenAndResponse(Saml2AuthenticationToken authentication, Response response) { this.authentication = authentication; this.response = response; } diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.java index af788ed70b..c883cf32de 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.java @@ -117,22 +117,15 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication throw new IllegalArgumentException("No signing credential provided"); } - /** - * {@inheritDoc} - */ @Override public Saml2PostAuthenticationRequest createPostAuthenticationRequest(Saml2AuthenticationRequestContext context) { AuthnRequest authnRequest = createAuthnRequest(context); String xml = context.getRelyingPartyRegistration().getAssertingPartyDetails().getWantAuthnRequestsSigned() ? serialize(sign(authnRequest, context.getRelyingPartyRegistration())) : serialize(authnRequest); - return Saml2PostAuthenticationRequest.withAuthenticationRequestContext(context) .samlRequest(Saml2Utils.samlEncode(xml.getBytes(StandardCharsets.UTF_8))).build(); } - /** - * {@inheritDoc} - */ @Override public Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest( Saml2AuthenticationRequestContext context) { @@ -141,7 +134,6 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication Builder result = Saml2RedirectAuthenticationRequest.withAuthenticationRequestContext(context); String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml)); result.samlRequest(deflatedAndEncoded).relayState(context.getRelayState()); - if (context.getRelyingPartyRegistration().getAssertingPartyDetails().getWantAuthnRequestsSigned()) { Collection signingCredentials = context.getRelyingPartyRegistration() .getSigningX509Credentials(); @@ -154,7 +146,6 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication } throw new Saml2Exception("No signing credential provided"); } - return result.build(); } @@ -266,12 +257,10 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication .append(UriUtils.encode(relayState, StandardCharsets.ISO_8859_1)).append("&"); } queryString.append("SigAlg").append("=").append(UriUtils.encode(algorithmUri, StandardCharsets.ISO_8859_1)); - try { byte[] rawSignature = XMLSigningUtil.signWithURI(credential, algorithmUri, queryString.toString().getBytes(StandardCharsets.UTF_8)); String b64Signature = Saml2Utils.samlEncode(rawSignature); - Map result = new LinkedHashMap<>(); result.put("SAMLRequest", samlRequest); if (StringUtils.hasText(relayState)) { diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationException.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationException.java index 64807dbfba..a4f4610833 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationException.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationException.java @@ -56,7 +56,7 @@ public class Saml2AuthenticationException extends AuthenticationException { * @param cause the root cause */ public Saml2AuthenticationException(Saml2Error error, Throwable cause) { - this(error, cause.getMessage(), cause); + this(error, (cause != null) ? cause.getMessage() : error.getDescription(), cause); } /** diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationToken.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationToken.java index c235157147..5f4f8fdb33 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationToken.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationToken.java @@ -52,7 +52,6 @@ public class Saml2AuthenticationToken extends AbstractAuthenticationToken { * @since 5.4 */ public Saml2AuthenticationToken(RelyingPartyRegistration relyingPartyRegistration, String saml2Response) { - super(Collections.emptyList()); Assert.notNull(relyingPartyRegistration, "relyingPartyRegistration cannot be null"); Assert.notNull(saml2Response, "saml2Response cannot be null"); diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequest.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequest.java index bfaff2db48..5fc84dd078 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequest.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequest.java @@ -60,7 +60,6 @@ public class Saml2PostAuthenticationRequest extends AbstractSaml2AuthenticationR public static final class Builder extends AbstractSaml2AuthenticationRequest.Builder { private Builder() { - super(); } /** diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequest.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequest.java index b74518a459..80fec1d392 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequest.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequest.java @@ -87,7 +87,6 @@ public final class Saml2RedirectAuthenticationRequest extends AbstractSaml2Authe private String signature; private Builder() { - super(); } /** diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java index 0684e0b866..edcd9c35c6 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java @@ -67,17 +67,12 @@ public final class OpenSamlMetadataResolver implements Saml2MetadataResolver { Assert.notNull(this.entityDescriptorMarshaller, "entityDescriptorMarshaller cannot be null"); } - /** - * {@inheritDoc} - */ @Override public String resolve(RelyingPartyRegistration relyingPartyRegistration) { EntityDescriptor entityDescriptor = build(EntityDescriptor.ELEMENT_QNAME); entityDescriptor.setEntityID(relyingPartyRegistration.getEntityId()); - SPSSODescriptor spSsoDescriptor = buildSpSsoDescriptor(relyingPartyRegistration); entityDescriptor.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).add(spSsoDescriptor); - return serialize(entityDescriptor); } @@ -107,17 +102,14 @@ public final class OpenSamlMetadataResolver implements Saml2MetadataResolver { KeyInfo keyInfo = build(KeyInfo.DEFAULT_ELEMENT_NAME); X509Certificate x509Certificate = build(X509Certificate.DEFAULT_ELEMENT_NAME); X509Data x509Data = build(X509Data.DEFAULT_ELEMENT_NAME); - try { x509Certificate.setValue(new String(Base64.getEncoder().encode(certificate.getEncoded()))); } catch (CertificateEncodingException ex) { throw new Saml2Exception("Cannot encode certificate " + certificate.toString()); } - x509Data.getX509Certificates().add(x509Certificate); keyInfo.getX509Datas().add(x509Data); - keyDescriptor.setUse(usageType); keyDescriptor.setKeyInfo(keyInfo); return keyDescriptor; diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter.java index 52aa839ddd..1aefa5489d 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter.java @@ -96,37 +96,24 @@ public class OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter this.parserPool = registry.getParserPool(); } - /** - * {@inheritDoc} - */ @Override public boolean canRead(Class clazz, MediaType mediaType) { return RelyingPartyRegistration.Builder.class.isAssignableFrom(clazz); } - /** - * {@inheritDoc} - */ @Override public boolean canWrite(Class clazz, MediaType mediaType) { return false; } - /** - * {@inheritDoc} - */ @Override public List getSupportedMediaTypes() { return Arrays.asList(MediaType.APPLICATION_XML, MediaType.TEXT_XML); } - /** - * {@inheritDoc} - */ @Override public RelyingPartyRegistration.Builder read(Class clazz, HttpInputMessage inputMessage) throws IOException, HttpMessageNotReadableException { - EntityDescriptor descriptor = entityDescriptor(inputMessage.getBody()); IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS); if (idpssoDescriptor == null) { @@ -184,6 +171,32 @@ public class OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter "Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests"); } + private List getVerification(IDPSSODescriptor idpssoDescriptor) { + List verification = new ArrayList<>(); + for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) { + if (keyDescriptor.getUse().equals(UsageType.SIGNING)) { + List certificates = certificates(keyDescriptor); + for (X509Certificate certificate : certificates) { + verification.add(Saml2X509Credential.verification(certificate)); + } + } + } + return verification; + } + + private List getEncryption(IDPSSODescriptor idpssoDescriptor) { + List encryption = new ArrayList<>(); + for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) { + if (keyDescriptor.getUse().equals(UsageType.ENCRYPTION)) { + List certificates = certificates(keyDescriptor); + for (X509Certificate certificate : certificates) { + encryption.add(Saml2X509Credential.encryption(certificate)); + } + } + } + return encryption; + } + private List certificates(KeyDescriptor keyDescriptor) { try { return KeyInfoSupport.getCertificates(keyDescriptor.getKeyInfo()); diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java index ccbf33791f..51e0571679 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java @@ -28,8 +28,6 @@ import java.util.function.Consumer; import java.util.function.Function; import org.springframework.security.saml2.core.Saml2X509Credential; -import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails; -import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.ProviderDetails; import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter; import org.springframework.util.Assert; @@ -94,7 +92,6 @@ public final class RelyingPartyRegistration { Collection credentials, Collection decryptionX509Credentials, Collection signingX509Credentials) { - Assert.hasText(registrationId, "registrationId cannot be empty"); Assert.hasText(entityId, "entityId cannot be empty"); Assert.hasText(assertionConsumerServiceLocation, "assertionConsumerServiceLocation cannot be empty"); @@ -332,7 +329,6 @@ public final class RelyingPartyRegistration { private List filterCredentials( Function filter) { - List result = new LinkedList<>(); for (org.springframework.security.saml2.credentials.Saml2X509Credential c : this.credentials) { if (filter.apply(c)) { @@ -447,7 +443,6 @@ public final class RelyingPartyRegistration { Collection verificationX509Credentials, Collection encryptionX509Credentials, String singleSignOnServiceLocation, Saml2MessageBinding singleSignOnServiceBinding) { - Assert.hasText(entityId, "entityId cannot be null or empty"); Assert.notNull(verificationX509Credentials, "verificationX509Credentials cannot be null"); for (Saml2X509Credential credential : verificationX509Credentials) { @@ -1038,7 +1033,6 @@ public final class RelyingPartyRegistration { for (Saml2X509Credential credential : this.providerDetails.assertingPartyDetailsBuilder.encryptionX509Credentials) { this.credentials.add(toDeprecated(credential)); } - return new RelyingPartyRegistration(this.registrationId, this.entityId, this.assertionConsumerServiceLocation, this.assertionConsumerServiceBinding, this.providerDetails.build(), this.credentials, this.decryptionX509Credentials, diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2ServletUtils.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2ServletUtils.java index ce062757dc..d6544958aa 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2ServletUtils.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2ServletUtils.java @@ -41,7 +41,6 @@ final class Saml2ServletUtils { if (!StringUtils.hasText(template)) { return baseUrl; } - String entityId = relyingParty.getAssertingPartyDetails().getEntityId(); String registrationId = relyingParty.getRegistrationId(); Map uriVariables = new HashMap<>(); @@ -64,7 +63,6 @@ final class Saml2ServletUtils { uriVariables.put("baseUrl", uriComponents.toUriString()); uriVariables.put("entityId", StringUtils.hasText(entityId) ? entityId : ""); uriVariables.put("registrationId", StringUtils.hasText(registrationId) ? registrationId : ""); - return UriComponentsBuilder.fromUriString(template).buildAndExpand(uriVariables).toUriString(); } diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.java index 14b4e1396b..731c6a3c66 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.java @@ -131,13 +131,9 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter this.redirectMatcher = redirectMatcher; } - /** - * {@inheritDoc} - */ @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { - MatchResult matcher = this.redirectMatcher.matcher(request); if (!matcher.isMatch()) { filterChain.doFilter(request, response); @@ -192,26 +188,42 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter String authenticationRequestUri = authenticationRequest.getAuthenticationRequestUri(); String relayState = authenticationRequest.getRelayState(); String samlRequest = authenticationRequest.getSamlRequest(); - StringBuilder postHtml = new StringBuilder().append("\n").append("\n") - .append(" \n").append(" \n").append(" \n") - .append(" \n").append(" \n").append(" \n") - .append("
\n") - .append("
\n") - .append(" \n"); + StringBuilder html = new StringBuilder(); + html.append("\n"); + html.append("\n").append(" \n"); + html.append(" \n"); + html.append(" \n"); + html.append(" \n"); + html.append(" \n"); + html.append(" \n"); + html.append(" \n"); + html.append("
\n"); + html.append(" \n"); if (StringUtils.hasText(relayState)) { - postHtml.append(" \n"); + html.append(" \n"); } - postHtml.append("
\n").append(" \n").append(" \n") - .append(" \n").append(" \n").append(""); - return postHtml.toString(); + html.append("
\n"); + html.append(" \n"); + html.append(" \n"); + html.append(" \n"); + html.append(" \n"); + html.append(""); + return html.toString(); } } diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultRelyingPartyRegistrationResolver.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultRelyingPartyRegistrationResolver.java index 45c6c27d95..10b667847c 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultRelyingPartyRegistrationResolver.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultRelyingPartyRegistrationResolver.java @@ -52,7 +52,6 @@ public final class DefaultRelyingPartyRegistrationResolver public DefaultRelyingPartyRegistrationResolver( RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) { - Assert.notNull(relyingPartyRegistrationRepository, "relyingPartyRegistrationRepository cannot be null"); this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository; } @@ -68,7 +67,6 @@ public final class DefaultRelyingPartyRegistrationResolver if (relyingPartyRegistration == null) { return null; } - String applicationUri = getApplicationUri(request); Function templateResolver = templateResolver(applicationUri, relyingPartyRegistration); String relyingPartyEntityId = templateResolver.apply(relyingPartyRegistration.getEntityId()); @@ -104,7 +102,6 @@ public final class DefaultRelyingPartyRegistrationResolver uriVariables.put("baseUrl", uriComponents.toUriString()); uriVariables.put("entityId", StringUtils.hasText(entityId) ? entityId : ""); uriVariables.put("registrationId", StringUtils.hasText(registrationId) ? registrationId : ""); - return UriComponentsBuilder.fromUriString(template).buildAndExpand(uriVariables).toUriString(); } diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultSaml2AuthenticationRequestContextResolver.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultSaml2AuthenticationRequestContextResolver.java index c6f40dc24d..a6cdb3ed91 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultSaml2AuthenticationRequestContextResolver.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultSaml2AuthenticationRequestContextResolver.java @@ -47,9 +47,6 @@ public final class DefaultSaml2AuthenticationRequestContextResolver this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver; } - /** - * {@inheritDoc} - */ @Override public Saml2AuthenticationRequestContext resolve(HttpServletRequest request) { Assert.notNull(request, "request cannot be null"); diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java index b86475ba97..bcce7e6fa8 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java @@ -60,9 +60,6 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver; } - /** - * {@inheritDoc} - */ @Override public Saml2AuthenticationToken convert(HttpServletRequest request) { RelyingPartyRegistration relyingPartyRegistration = this.relyingPartyRegistrationResolver.convert(request); @@ -82,9 +79,7 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo if (HttpMethod.GET.matches(request.getMethod())) { return samlInflate(b); } - else { - return new String(b, StandardCharsets.UTF_8); - } + return new String(b, StandardCharsets.UTF_8); } private byte[] samlDecode(String s) { @@ -94,9 +89,9 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo private String samlInflate(byte[] b) { try { ByteArrayOutputStream out = new ByteArrayOutputStream(); - InflaterOutputStream iout = new InflaterOutputStream(out, new Inflater(true)); - iout.write(b); - iout.finish(); + InflaterOutputStream inflaterOutputStream = new InflaterOutputStream(out, new Inflater(true)); + inflaterOutputStream.write(b); + inflaterOutputStream.finish(); return new String(out.toByteArray(), StandardCharsets.UTF_8); } catch (IOException ex) { diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java index d06f63d663..9e328cb6c3 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java @@ -60,19 +60,16 @@ public final class Saml2MetadataFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { - RequestMatcher.MatchResult matcher = this.requestMatcher.matcher(request); if (!matcher.isMatch()) { chain.doFilter(request, response); return; } - RelyingPartyRegistration relyingPartyRegistration = this.relyingPartyRegistrationConverter.convert(request); if (relyingPartyRegistration == null) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); return; } - String metadata = this.saml2MetadataResolver.resolve(relyingPartyRegistration); String registrationId = relyingPartyRegistration.getRegistrationId(); writeMetadataToResponse(response, registrationId, metadata); @@ -80,7 +77,6 @@ public final class Saml2MetadataFilter extends OncePerRequestFilter { private void writeMetadataToResponse(HttpServletResponse response, String registrationId, String metadata) throws IOException { - response.setContentType(MediaType.APPLICATION_XML_VALUE); response.setHeader(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"saml-" + registrationId + "-metadata.xml\""); diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/Saml2Utils.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/Saml2Utils.java index 0a80ee0ed4..a518b911a3 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/Saml2Utils.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/Saml2Utils.java @@ -45,11 +45,12 @@ public final class Saml2Utils { public static byte[] samlDeflate(String s) { try { - ByteArrayOutputStream b = new ByteArrayOutputStream(); - DeflaterOutputStream deflater = new DeflaterOutputStream(b, new Deflater(Deflater.DEFLATED, true)); - deflater.write(s.getBytes(StandardCharsets.UTF_8)); - deflater.finish(); - return b.toByteArray(); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(out, + new Deflater(Deflater.DEFLATED, true)); + deflaterOutputStream.write(s.getBytes(StandardCharsets.UTF_8)); + deflaterOutputStream.finish(); + return out.toByteArray(); } catch (IOException ex) { throw new Saml2Exception("Unable to deflate string", ex); @@ -59,9 +60,9 @@ public final class Saml2Utils { public static String samlInflate(byte[] b) { try { ByteArrayOutputStream out = new ByteArrayOutputStream(); - InflaterOutputStream iout = new InflaterOutputStream(out, new Inflater(true)); - iout.write(b); - iout.finish(); + InflaterOutputStream inflaterOutputStream = new InflaterOutputStream(out, new Inflater(true)); + inflaterOutputStream.write(b); + inflaterOutputStream.finish(); return new String(out.toByteArray(), StandardCharsets.UTF_8); } catch (IOException ex) {