Polish spring-security-saml2 main code

Manually polish `spring-security-saml2` following the formatting and checkstyle fixes. Issue gh-8945
2025-07-15 06:43:32 +00:00 · 2020-07-31 22:59:05 -07:00 · 2020-07-31 22:59:05 -07:00 · 1f03608b73
commit 1f03608b73
parent e8094b8cf2
20 changed files with 179 additions and 230 deletions
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java
@ -118,27 +118,15 @@ public final class OpenSamlInitializationService {
 	private static boolean initialize(Consumer<XMLObjectProviderRegistry> registryConsumer) {
 		if (initialized.compareAndSet(false, true)) {
 			log.trace("Initializing OpenSAML");
 			try {
 				InitializationService.initialize();
 			}
 			catch (Exception ex) {
 				throw new Saml2Exception(ex);
 			}
 			BasicParserPool parserPool = new BasicParserPool();
 			parserPool.setMaxPoolSize(50);
-
+			parserPool.setBuilderFeatures(getParserBuilderFeatures());
 			Map<String, Boolean> parserBuilderFeatures = new HashMap<>();
 			parserBuilderFeatures.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE);
 			parserBuilderFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
 			parserBuilderFeatures.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE);
 			parserBuilderFeatures.put("http://apache.org/xml/features/validation/schema/normalized-value",
 					Boolean.FALSE);
 			parserBuilderFeatures.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE);
 			parserBuilderFeatures.put("http://apache.org/xml/features/dom/defer-node-expansion", Boolean.FALSE);
 			parserPool.setBuilderFeatures(parserBuilderFeatures);
 			try {
 				parserPool.initialize();
 			}
@ -146,16 +134,23 @@ public final class OpenSamlInitializationService {
 				throw new Saml2Exception(ex);
 			}
 			XMLObjectProviderRegistrySupport.setParserPool(parserPool);
 			registryConsumer.accept(ConfigurationService.get(XMLObjectProviderRegistry.class));
 			log.debug("Initialized OpenSAML");
 			return true;
 		}
 		else {
 		log.debug("Refused to re-initialize OpenSAML");
 		return false;
 	}
 	private static Map<String, Boolean> getParserBuilderFeatures() {
 		Map<String, Boolean> parserBuilderFeatures = new HashMap<>();
 		parserBuilderFeatures.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE);
 		parserBuilderFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
 		parserBuilderFeatures.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE);
 		parserBuilderFeatures.put("http://apache.org/xml/features/validation/schema/normalized-value", Boolean.FALSE);
 		parserBuilderFeatures.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE);
 		parserBuilderFeatures.put("http://apache.org/xml/features/dom/defer-node-expansion", Boolean.FALSE);
 		return parserBuilderFeatures;
 	}
 }
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2X509Credential.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2X509Credential.java
@ -37,12 +37,6 @@ import org.springframework.util.Assert;
 */
 public final class Saml2X509Credential {
 	public enum Saml2X509CredentialType {
 		VERIFICATION, ENCRYPTION, SIGNING, DECRYPTION,
 	}
 	private final PrivateKey privateKey;
 	private final X509Certificate certificate;
@ -225,4 +219,16 @@ public final class Saml2X509Credential {
 		}
 	}
 	public enum Saml2X509CredentialType {
 		VERIFICATION,
 		ENCRYPTION,
 		SIGNING,
 		DECRYPTION,
 	}
 }
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/credentials/Saml2X509Credential.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/credentials/Saml2X509Credential.java
@ -39,18 +39,6 @@ import org.springframework.util.Assert;
@Deprecated
 public class Saml2X509Credential {
 	/**
 	 * @deprecated Use
 	 * {@link org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType}
 	 * instead
 	 */
 	@Deprecated
 	public enum Saml2X509CredentialType {
 		VERIFICATION, ENCRYPTION, SIGNING, DECRYPTION,
 	}
 	private final PrivateKey privateKey;
 	private final X509Certificate certificate;
@ -199,4 +187,22 @@ public class Saml2X509Credential {
 		}
 	}
 	/**
 	 * @deprecated Use
 	 * {@link org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType}
 	 * instead
 	 */
 	@Deprecated
 	public enum Saml2X509CredentialType {
 		VERIFICATION,
 		ENCRYPTION,
 		SIGNING,
 		DECRYPTION,
 	}
 }
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/DefaultSaml2AuthenticatedPrincipal.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/DefaultSaml2AuthenticatedPrincipal.java
@ -37,7 +37,6 @@ public class DefaultSaml2AuthenticatedPrincipal implements Saml2AuthenticatedPri
 	public DefaultSaml2AuthenticatedPrincipal(String name, Map<String, List<Object>> attributes) {
 		Assert.notNull(name, "name cannot be null");
 		Assert.notNull(attributes, "attributes cannot be null");
 		this.name = name;
 		this.attributes = attributes;
 	}
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
@ -100,6 +100,7 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.core.log.LogMessage;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
@ -182,24 +183,16 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 	private Duration responseTimeValidationSkew = Duration.ofMinutes(5);
-	private Function<Saml2AuthenticationToken, Converter<Response, AbstractAuthenticationToken>> authenticationConverter = (
+	private Function<Saml2AuthenticationToken, Converter<Response, AbstractAuthenticationToken>> authenticationConverter = this::getAuthenticationConverter;
 			token) -> (response) -> {
 				Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
 				String username = assertion.getSubject().getNameID().getValue();
 				Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
 				return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
 						token.getSaml2Response(),
 						this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)));
 			};
 	private Converter<Saml2AuthenticationToken, SignatureTrustEngine> signatureTrustEngineConverter = new SignatureTrustEngineConverter();
-	private Converter<Tuple, SAML20AssertionValidator> assertionValidatorConverter = new SAML20AssertionValidatorConverter();
+	private Converter<TokenAndResponse, SAML20AssertionValidator> assertionValidatorConverter = new SAML20AssertionValidatorConverter();
 	private Collection<ConditionValidator> conditionValidators = Collections
 			.singleton(new AudienceRestrictionConditionValidator());
-	private Converter<Tuple, ValidationContext> validationContextConverter = new ValidationContextConverter();
+	private Converter<TokenAndResponse, ValidationContext> validationContextConverter = new ValidationContextConverter();
 	private Converter<Saml2AuthenticationToken, Decrypter> decrypterConverter = new DecrypterConverter();
@ -220,7 +213,6 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 	 * @since 5.4
 	 */
 	public void setConditionValidators(Collection<ConditionValidator> conditionValidators) {
 		Assert.notEmpty(conditionValidators, "conditionValidators cannot be empty");
 		this.conditionValidators = conditionValidators;
 	}
@ -231,8 +223,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 	 * @param validationContextConverter the strategy to use
 	 * @since 5.4
 	 */
-	public void setValidationContextConverter(Converter<Tuple, ValidationContext> validationContextConverter) {
+	public void setValidationContextConverter(
-
+			Converter<TokenAndResponse, ValidationContext> validationContextConverter) {
 		Assert.notNull(validationContextConverter, "validationContextConverter cannot be empty");
 		this.validationContextConverter = validationContextConverter;
 	}
@ -289,13 +281,10 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 			throw ex;
 		}
 		catch (Exception ex) {
-			throw authException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, ex.getMessage(), ex);
+			throw createAuthenticationException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, ex.getMessage(), ex);
 		}
 	}
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
 	public boolean supports(Class<?> authentication) {
 		return authentication != null && Saml2AuthenticationToken.class.isAssignableFrom(authentication);
@ -313,39 +302,32 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 			return (Response) this.responseUnmarshaller.unmarshall(element);
 		}
 		catch (Exception ex) {
-			throw authException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, ex.getMessage(), ex);
+			throw createAuthenticationException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, ex.getMessage(), ex);
 		}
 	}
 	private void process(Saml2AuthenticationToken token, Response response) {
 		String issuer = response.getIssuer().getValue();
-		if (logger.isDebugEnabled()) {
+		logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
 			logger.debug("Processing SAML response from " + issuer);
 		}
 		boolean responseSigned = response.isSigned();
 		Map<String, Saml2AuthenticationException> validationExceptions = validateResponse(token, response);
 		Decrypter decrypter = this.decrypterConverter.convert(token);
 		List<Assertion> assertions = decryptAssertions(decrypter, response);
 		if (!isSigned(responseSigned, assertions)) {
-			throw authException(Saml2ErrorCodes.INVALID_SIGNATURE,
+			String description = "Either the response or one of the assertions is unsigned. "
-					"Either the response or one of the assertions is unsigned. "
+					+ "Please either sign the response or all of the assertions.";
-							+ "Please either sign the response or all of the assertions.");
+			throw createAuthenticationException(Saml2ErrorCodes.INVALID_SIGNATURE, description, null);
 		}
 		validationExceptions.putAll(validateAssertions(token, response));
 		Assertion firstAssertion = CollectionUtils.firstElement(response.getAssertions());
 		NameID nameId = decryptPrincipal(decrypter, firstAssertion);
 		if (nameId == null || nameId.getValue() == null) {
-			validationExceptions.put(Saml2ErrorCodes.SUBJECT_NOT_FOUND, authException(Saml2ErrorCodes.SUBJECT_NOT_FOUND,
+			String description = "Assertion [" + firstAssertion.getID() + "] is missing a subject";
-					"Assertion [" + firstAssertion.getID() + "] is missing a subject"));
+			validationExceptions.put(Saml2ErrorCodes.SUBJECT_NOT_FOUND,
 					createAuthenticationException(Saml2ErrorCodes.SUBJECT_NOT_FOUND, description, null));
 		}
 		if (validationExceptions.isEmpty()) {
-			if (logger.isDebugEnabled()) {
+			logger.debug(LogMessage.of(() -> "Successfully processed SAML Response [" + response.getID() + "]"));
 				logger.debug("Successfully processed SAML Response [" + response.getID() + "]");
 			}
 		}
 		else {
 			if (logger.isTraceEnabled()) {
@ -357,7 +339,6 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 						+ response.getID() + "]");
 			}
 		}
 		if (!validationExceptions.isEmpty()) {
 			throw validationExceptions.values().iterator().next();
 		}
@ -365,21 +346,17 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 	private Map<String, Saml2AuthenticationException> validateResponse(Saml2AuthenticationToken token,
 			Response response) {
-
+		Map<String, Saml2AuthenticationException> exceptions = new HashMap<>();
 		Map<String, Saml2AuthenticationException> validationExceptions = new HashMap<>();
 		String issuer = response.getIssuer().getValue();
 		if (response.isSigned()) {
 			SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
 			try {
 				profileValidator.validate(response.getSignature());
 			}
 			catch (Exception ex) {
-				validationExceptions.put(Saml2ErrorCodes.INVALID_SIGNATURE,
+				String message = "Invalid signature for SAML Response [" + response.getID() + "]: ";
-						authException(Saml2ErrorCodes.INVALID_SIGNATURE,
+				addValidationException(exceptions, Saml2ErrorCodes.INVALID_SIGNATURE, message, ex);
 								"Invalid signature for SAML Response [" + response.getID() + "]: ", ex));
 			}
 			try {
 				CriteriaSet criteriaSet = new CriteriaSet();
 				criteriaSet.add(new EvaluableEntityIDCredentialCriterion(new EntityIdCriterion(issuer)));
@ -387,34 +364,27 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 						new EvaluableProtocolRoleDescriptorCriterion(new ProtocolCriterion(SAMLConstants.SAML20P_NS)));
 				criteriaSet.add(new EvaluableUsageCredentialCriterion(new UsageCriterion(UsageType.SIGNING)));
 				if (!this.signatureTrustEngineConverter.convert(token).validate(response.getSignature(), criteriaSet)) {
-					validationExceptions.put(Saml2ErrorCodes.INVALID_SIGNATURE,
+					String message = "Invalid signature for SAML Response [" + response.getID() + "]";
-							authException(Saml2ErrorCodes.INVALID_SIGNATURE,
+					addValidationException(exceptions, Saml2ErrorCodes.INVALID_SIGNATURE, message, null);
 									"Invalid signature for SAML Response [" + response.getID() + "]"));
 				}
 			}
 			catch (Exception ex) {
-				validationExceptions.put(Saml2ErrorCodes.INVALID_SIGNATURE,
+				String message = "Invalid signature for SAML Response [" + response.getID() + "]: ";
-						authException(Saml2ErrorCodes.INVALID_SIGNATURE,
+				addValidationException(exceptions, Saml2ErrorCodes.INVALID_SIGNATURE, message, ex);
 								"Invalid signature for SAML Response [" + response.getID() + "]: ", ex));
 			}
 		}
 		String destination = response.getDestination();
 		String location = token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
 		if (StringUtils.hasText(destination) && !destination.equals(location)) {
 			String message = "Invalid destination [" + destination + "] for SAML response [" + response.getID() + "]";
-			validationExceptions.put(Saml2ErrorCodes.INVALID_DESTINATION,
+			addValidationException(exceptions, Saml2ErrorCodes.INVALID_DESTINATION, message, null);
 					authException(Saml2ErrorCodes.INVALID_DESTINATION, message));
 		}
 		String assertingPartyEntityId = token.getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId();
 		if (!StringUtils.hasText(issuer) || !issuer.equals(assertingPartyEntityId)) {
 			String message = String.format("Invalid issuer [%s] for SAML response [%s]", issuer, response.getID());
-			validationExceptions.put(Saml2ErrorCodes.INVALID_ISSUER,
+			addValidationException(exceptions, Saml2ErrorCodes.INVALID_ISSUER, message, null);
 					authException(Saml2ErrorCodes.INVALID_ISSUER, message));
 		}
-
+		return exceptions;
 		return validationExceptions;
 	}
 	private List<Assertion> decryptAssertions(Decrypter decrypter, Response response) {
@ -425,7 +395,7 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 				assertions.add(assertion);
 			}
 			catch (DecryptionException ex) {
-				throw authException(Saml2ErrorCodes.DECRYPTION_ERROR, ex.getMessage(), ex);
+				throw createAuthenticationException(Saml2ErrorCodes.DECRYPTION_ERROR, ex.getMessage(), ex);
 			}
 		}
 		response.getAssertions().addAll(assertions);
@ -436,52 +406,47 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 			Response response) {
 		List<Assertion> assertions = response.getAssertions();
 		if (assertions.isEmpty()) {
-			throw authException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, "No assertions found in response.");
+			throw createAuthenticationException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA,
 					"No assertions found in response.", null);
 		}
-
+		Map<String, Saml2AuthenticationException> exceptions = new LinkedHashMap<>();
-		Map<String, Saml2AuthenticationException> validationExceptions = new LinkedHashMap<>();
+		logger.debug(LogMessage.format("Validating %s assertions", assertions.size()));
-		if (logger.isDebugEnabled()) {
+		TokenAndResponse tuple = new TokenAndResponse(token, response);
 			logger.debug("Validating " + assertions.size() + " assertions");
 		}
 		Tuple tuple = new Tuple(token, response);
 		SAML20AssertionValidator validator = this.assertionValidatorConverter.convert(tuple);
 		ValidationContext context = this.validationContextConverter.convert(tuple);
 		for (Assertion assertion : assertions) {
-			if (logger.isTraceEnabled()) {
+			logger.trace(LogMessage.format("Validating assertion %s", assertion.getID()));
 				logger.trace("Validating assertion " + assertion.getID());
 			}
 			try {
 				if (validator.validate(assertion, context) != ValidationResult.VALID) {
 					String message = String.format("Invalid assertion [%s] for SAML response [%s]: %s",
 							assertion.getID(), ((Response) assertion.getParent()).getID(),
 							context.getValidationFailureMessage());
-					validationExceptions.put(Saml2ErrorCodes.INVALID_ASSERTION,
+					addValidationException(exceptions, Saml2ErrorCodes.INVALID_ASSERTION, message, null);
 							authException(Saml2ErrorCodes.INVALID_ASSERTION, message));
 				}
 			}
 			catch (Exception ex) {
 				String message = String.format("Invalid assertion [%s] for SAML response [%s]: %s", assertion.getID(),
 						((Response) assertion.getParent()).getID(), ex.getMessage());
-				validationExceptions.put(Saml2ErrorCodes.INVALID_ASSERTION,
+				addValidationException(exceptions, Saml2ErrorCodes.INVALID_ASSERTION, message, ex);
 						authException(Saml2ErrorCodes.INVALID_ASSERTION, message, ex));
 			}
 		}
 		return exceptions;
 	}
-		return validationExceptions;
+	private void addValidationException(Map<String, Saml2AuthenticationException> exceptions, String code,
 			String message, Exception cause) {
 		exceptions.put(code, createAuthenticationException(code, message, cause));
 	}
 	private boolean isSigned(boolean responseSigned, List<Assertion> assertions) {
 		if (responseSigned) {
 			return true;
 		}
 		for (Assertion assertion : assertions) {
 			if (!assertion.isSigned()) {
 				return false;
 			}
 		}
 		return true;
 	}
@ -498,7 +463,7 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 			return nameId;
 		}
 		catch (DecryptionException ex) {
-			throw authException(Saml2ErrorCodes.DECRYPTION_ERROR, ex.getMessage(), ex);
+			throw createAuthenticationException(Saml2ErrorCodes.DECRYPTION_ERROR, ex.getMessage(), ex);
 		}
 	}
@ -506,7 +471,6 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 		Map<String, List<Object>> attributeMap = new LinkedHashMap<>();
 		for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) {
 			for (Attribute attribute : attributeStatement.getAttributes()) {
 				List<Object> attributeValues = new ArrayList<>();
 				for (XMLObject xmlObject : attribute.getAttributeValues()) {
 					Object attributeValue = getXmlObjectValue(xmlObject);
@ -515,7 +479,6 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 					}
 				}
 				attributeMap.put(attribute.getName(), attributeValues);
 			}
 		}
 		return attributeMap;
@ -559,20 +522,22 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 		return xsAny.getTextContent();
 	}
-	private static Saml2Error validationError(String code, String description) {
+	private Converter<Response, AbstractAuthenticationToken> getAuthenticationConverter(
-		return new Saml2Error(code, description);
+			Saml2AuthenticationToken token) {
 		return (response) -> convertAuthenticationToken(token, response);
 	}
-	private static Saml2AuthenticationException authException(String code, String description)
+	private AbstractAuthenticationToken convertAuthenticationToken(Saml2AuthenticationToken token, Response response) {
-			throws Saml2AuthenticationException {
+		Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
-
+		String username = assertion.getSubject().getNameID().getValue();
-		return new Saml2AuthenticationException(validationError(code, description));
+		Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
 		return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
 				token.getSaml2Response(), this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)));
 	}
-	private static Saml2AuthenticationException authException(String code, String description, Exception cause)
+	private static Saml2AuthenticationException createAuthenticationException(String code, String message,
-			throws Saml2AuthenticationException {
+			Exception cause) {
-
+		return new Saml2AuthenticationException(new Saml2Error(code, message), cause);
 		return new Saml2AuthenticationException(validationError(code, description), cause);
 	}
 	private static class SignatureTrustEngineConverter
@ -596,10 +561,10 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 	}
-	private class ValidationContextConverter implements Converter<Tuple, ValidationContext> {
+	private class ValidationContextConverter implements Converter<TokenAndResponse, ValidationContext> {
 		@Override
-		public ValidationContext convert(Tuple tuple) {
+		public ValidationContext convert(TokenAndResponse tuple) {
 			String audience = tuple.authentication.getRelyingPartyRegistration().getEntityId();
 			String recipient = tuple.authentication.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
 			Map<String, Object> params = new HashMap<>();
@ -607,17 +572,14 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 					OpenSamlAuthenticationProvider.this.responseTimeValidationSkew.toMillis());
 			params.put(SAML2AssertionValidationParameters.COND_VALID_AUDIENCES, Collections.singleton(audience));
 			params.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, Collections.singleton(recipient));
-			params.put(SAML2AssertionValidationParameters.SIGNATURE_REQUIRED, false); // this
+			// this verification is performed earlier
-																						// verification
+			params.put(SAML2AssertionValidationParameters.SIGNATURE_REQUIRED, false);
 																						// is
 																						// performed
 			// earlier
 			return new ValidationContext(params);
 		}
 	}
-	private class SAML20AssertionValidatorConverter implements Converter<Tuple, SAML20AssertionValidator> {
+	private class SAML20AssertionValidatorConverter implements Converter<TokenAndResponse, SAML20AssertionValidator> {
 		private final Collection<SubjectConfirmationValidator> subjects = new ArrayList<>();
@ -638,7 +600,7 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 		}
 		@Override
-		public SAML20AssertionValidator convert(Tuple tuple) {
+		public SAML20AssertionValidator convert(TokenAndResponse tuple) {
 			Collection<ConditionValidator> conditions = OpenSamlAuthenticationProvider.this.conditionValidators;
 			return new SAML20AssertionValidator(conditions, this.subjects, this.statements,
 					OpenSamlAuthenticationProvider.this.signatureTrustEngineConverter.convert(tuple.authentication),
@ -674,13 +636,13 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
 	 *
 	 * @since 5.4
 	 */
-	public static final class Tuple {
+	public static final class TokenAndResponse {
 		private final Saml2AuthenticationToken authentication;
 		private final Response response;
-		private Tuple(Saml2AuthenticationToken authentication, Response response) {
+		private TokenAndResponse(Saml2AuthenticationToken authentication, Response response) {
 			this.authentication = authentication;
 			this.response = response;
 		}
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.java
@ -117,22 +117,15 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
 		throw new IllegalArgumentException("No signing credential provided");
 	}
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
 	public Saml2PostAuthenticationRequest createPostAuthenticationRequest(Saml2AuthenticationRequestContext context) {
 		AuthnRequest authnRequest = createAuthnRequest(context);
 		String xml = context.getRelyingPartyRegistration().getAssertingPartyDetails().getWantAuthnRequestsSigned()
 				? serialize(sign(authnRequest, context.getRelyingPartyRegistration())) : serialize(authnRequest);
 		return Saml2PostAuthenticationRequest.withAuthenticationRequestContext(context)
 				.samlRequest(Saml2Utils.samlEncode(xml.getBytes(StandardCharsets.UTF_8))).build();
 	}
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
 	public Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest(
 			Saml2AuthenticationRequestContext context) {
@ -141,7 +134,6 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
 		Builder result = Saml2RedirectAuthenticationRequest.withAuthenticationRequestContext(context);
 		String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
 		result.samlRequest(deflatedAndEncoded).relayState(context.getRelayState());
 		if (context.getRelyingPartyRegistration().getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
 			Collection<Saml2X509Credential> signingCredentials = context.getRelyingPartyRegistration()
 					.getSigningX509Credentials();
@ -154,7 +146,6 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
 			}
 			throw new Saml2Exception("No signing credential provided");
 		}
 		return result.build();
 	}
@ -266,12 +257,10 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
 					.append(UriUtils.encode(relayState, StandardCharsets.ISO_8859_1)).append("&");
 		}
 		queryString.append("SigAlg").append("=").append(UriUtils.encode(algorithmUri, StandardCharsets.ISO_8859_1));
 		try {
 			byte[] rawSignature = XMLSigningUtil.signWithURI(credential, algorithmUri,
 					queryString.toString().getBytes(StandardCharsets.UTF_8));
 			String b64Signature = Saml2Utils.samlEncode(rawSignature);
 			Map<String, String> result = new LinkedHashMap<>();
 			result.put("SAMLRequest", samlRequest);
 			if (StringUtils.hasText(relayState)) {
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationException.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationException.java
@ -56,7 +56,7 @@ public class Saml2AuthenticationException extends AuthenticationException {
 	 * @param cause the root cause
 	 */
 	public Saml2AuthenticationException(Saml2Error error, Throwable cause) {
-		this(error, cause.getMessage(), cause);
+		this(error, (cause != null) ? cause.getMessage() : error.getDescription(), cause);
 	}
 	/**
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationToken.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationToken.java
@ -52,7 +52,6 @@ public class Saml2AuthenticationToken extends AbstractAuthenticationToken {
 	 * @since 5.4
 	 */
 	public Saml2AuthenticationToken(RelyingPartyRegistration relyingPartyRegistration, String saml2Response) {
 		super(Collections.emptyList());
 		Assert.notNull(relyingPartyRegistration, "relyingPartyRegistration cannot be null");
 		Assert.notNull(saml2Response, "saml2Response cannot be null");
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequest.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequest.java
@ -60,7 +60,6 @@ public class Saml2PostAuthenticationRequest extends AbstractSaml2AuthenticationR
 	public static final class Builder extends AbstractSaml2AuthenticationRequest.Builder<Builder> {
 		private Builder() {
 			super();
 		}
 		/**
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequest.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequest.java
@ -87,7 +87,6 @@ public final class Saml2RedirectAuthenticationRequest extends AbstractSaml2Authe
 		private String signature;
 		private Builder() {
 			super();
 		}
 		/**
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java
@ -67,17 +67,12 @@ public final class OpenSamlMetadataResolver implements Saml2MetadataResolver {
 		Assert.notNull(this.entityDescriptorMarshaller, "entityDescriptorMarshaller cannot be null");
 	}
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
 	public String resolve(RelyingPartyRegistration relyingPartyRegistration) {
 		EntityDescriptor entityDescriptor = build(EntityDescriptor.ELEMENT_QNAME);
 		entityDescriptor.setEntityID(relyingPartyRegistration.getEntityId());
 		SPSSODescriptor spSsoDescriptor = buildSpSsoDescriptor(relyingPartyRegistration);
 		entityDescriptor.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).add(spSsoDescriptor);
 		return serialize(entityDescriptor);
 	}
@ -107,17 +102,14 @@ public final class OpenSamlMetadataResolver implements Saml2MetadataResolver {
 		KeyInfo keyInfo = build(KeyInfo.DEFAULT_ELEMENT_NAME);
 		X509Certificate x509Certificate = build(X509Certificate.DEFAULT_ELEMENT_NAME);
 		X509Data x509Data = build(X509Data.DEFAULT_ELEMENT_NAME);
 		try {
 			x509Certificate.setValue(new String(Base64.getEncoder().encode(certificate.getEncoded())));
 		}
 		catch (CertificateEncodingException ex) {
 			throw new Saml2Exception("Cannot encode certificate " + certificate.toString());
 		}
 		x509Data.getX509Certificates().add(x509Certificate);
 		keyInfo.getX509Datas().add(x509Data);
 		keyDescriptor.setUse(usageType);
 		keyDescriptor.setKeyInfo(keyInfo);
 		return keyDescriptor;
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter.java
@ -96,37 +96,24 @@ public class OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter
 		this.parserPool = registry.getParserPool();
 	}
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
 	public boolean canRead(Class<?> clazz, MediaType mediaType) {
 		return RelyingPartyRegistration.Builder.class.isAssignableFrom(clazz);
 	}
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
 	public boolean canWrite(Class<?> clazz, MediaType mediaType) {
 		return false;
 	}
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
 	public List<MediaType> getSupportedMediaTypes() {
 		return Arrays.asList(MediaType.APPLICATION_XML, MediaType.TEXT_XML);
 	}
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
 	public RelyingPartyRegistration.Builder read(Class<? extends RelyingPartyRegistration.Builder> clazz,
 			HttpInputMessage inputMessage) throws IOException, HttpMessageNotReadableException {
 		EntityDescriptor descriptor = entityDescriptor(inputMessage.getBody());
 		IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
 		if (idpssoDescriptor == null) {
@ -184,6 +171,32 @@ public class OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter
 				"Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests");
 	}
 	private List<Saml2X509Credential> getVerification(IDPSSODescriptor idpssoDescriptor) {
 		List<Saml2X509Credential> verification = new ArrayList<>();
 		for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
 			if (keyDescriptor.getUse().equals(UsageType.SIGNING)) {
 				List<X509Certificate> certificates = certificates(keyDescriptor);
 				for (X509Certificate certificate : certificates) {
 					verification.add(Saml2X509Credential.verification(certificate));
 				}
 			}
 		}
 		return verification;
 	}
 	private List<Saml2X509Credential> getEncryption(IDPSSODescriptor idpssoDescriptor) {
 		List<Saml2X509Credential> encryption = new ArrayList<>();
 		for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
 			if (keyDescriptor.getUse().equals(UsageType.ENCRYPTION)) {
 				List<X509Certificate> certificates = certificates(keyDescriptor);
 				for (X509Certificate certificate : certificates) {
 					encryption.add(Saml2X509Credential.encryption(certificate));
 				}
 			}
 		}
 		return encryption;
 	}
 	private List<X509Certificate> certificates(KeyDescriptor keyDescriptor) {
 		try {
 			return KeyInfoSupport.getCertificates(keyDescriptor.getKeyInfo());
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java
@ -28,8 +28,6 @@ import java.util.function.Consumer;
 import java.util.function.Function;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.ProviderDetails;
 import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
 import org.springframework.util.Assert;
@ -94,7 +92,6 @@ public final class RelyingPartyRegistration {
 			Collection<org.springframework.security.saml2.credentials.Saml2X509Credential> credentials,
 			Collection<Saml2X509Credential> decryptionX509Credentials,
 			Collection<Saml2X509Credential> signingX509Credentials) {
 		Assert.hasText(registrationId, "registrationId cannot be empty");
 		Assert.hasText(entityId, "entityId cannot be empty");
 		Assert.hasText(assertionConsumerServiceLocation, "assertionConsumerServiceLocation cannot be empty");
@ -332,7 +329,6 @@ public final class RelyingPartyRegistration {
 	private List<org.springframework.security.saml2.credentials.Saml2X509Credential> filterCredentials(
 			Function<org.springframework.security.saml2.credentials.Saml2X509Credential, Boolean> filter) {
 		List<org.springframework.security.saml2.credentials.Saml2X509Credential> result = new LinkedList<>();
 		for (org.springframework.security.saml2.credentials.Saml2X509Credential c : this.credentials) {
 			if (filter.apply(c)) {
@ -447,7 +443,6 @@ public final class RelyingPartyRegistration {
 				Collection<Saml2X509Credential> verificationX509Credentials,
 				Collection<Saml2X509Credential> encryptionX509Credentials, String singleSignOnServiceLocation,
 				Saml2MessageBinding singleSignOnServiceBinding) {
 			Assert.hasText(entityId, "entityId cannot be null or empty");
 			Assert.notNull(verificationX509Credentials, "verificationX509Credentials cannot be null");
 			for (Saml2X509Credential credential : verificationX509Credentials) {
@ -1038,7 +1033,6 @@ public final class RelyingPartyRegistration {
 			for (Saml2X509Credential credential : this.providerDetails.assertingPartyDetailsBuilder.encryptionX509Credentials) {
 				this.credentials.add(toDeprecated(credential));
 			}
 			return new RelyingPartyRegistration(this.registrationId, this.entityId,
 					this.assertionConsumerServiceLocation, this.assertionConsumerServiceBinding,
 					this.providerDetails.build(), this.credentials, this.decryptionX509Credentials,
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2ServletUtils.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2ServletUtils.java
@ -41,7 +41,6 @@ final class Saml2ServletUtils {
 		if (!StringUtils.hasText(template)) {
 			return baseUrl;
 		}
 		String entityId = relyingParty.getAssertingPartyDetails().getEntityId();
 		String registrationId = relyingParty.getRegistrationId();
 		Map<String, String> uriVariables = new HashMap<>();
@ -64,7 +63,6 @@ final class Saml2ServletUtils {
 		uriVariables.put("baseUrl", uriComponents.toUriString());
 		uriVariables.put("entityId", StringUtils.hasText(entityId) ? entityId : "");
 		uriVariables.put("registrationId", StringUtils.hasText(registrationId) ? registrationId : "");
 		return UriComponentsBuilder.fromUriString(template).buildAndExpand(uriVariables).toUriString();
 	}
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.java
@ -131,13 +131,9 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter
 		this.redirectMatcher = redirectMatcher;
 	}
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
 	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
 			throws ServletException, IOException {
 		MatchResult matcher = this.redirectMatcher.matcher(request);
 		if (!matcher.isMatch()) {
 			filterChain.doFilter(request, response);
@ -192,26 +188,42 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter
 		String authenticationRequestUri = authenticationRequest.getAuthenticationRequestUri();
 		String relayState = authenticationRequest.getRelayState();
 		String samlRequest = authenticationRequest.getSamlRequest();
-		StringBuilder postHtml = new StringBuilder().append("<!DOCTYPE html>\n").append("<html>\n")
+		StringBuilder html = new StringBuilder();
-				.append("    <head>\n").append("        <meta charset=\"utf-8\" />\n").append("    </head>\n")
+		html.append("<!DOCTYPE html>\n");
-				.append("    <body onload=\"document.forms[0].submit()\">\n").append("        <noscript>\n")
+		html.append("<html>\n").append("    <head>\n");
-				.append("            <p>\n")
+		html.append("        <meta charset=\"utf-8\" />\n");
-				.append("                <strong>Note:</strong> Since your browser does not support JavaScript,\n")
+		html.append("    </head>\n");
-				.append("                you must press the Continue button once to proceed.\n")
+		html.append("    <body onload=\"document.forms[0].submit()\">\n");
-				.append("            </p>\n").append("        </noscript>\n").append("        \n")
+		html.append("        <noscript>\n");
-				.append("        <form action=\"").append(authenticationRequestUri).append("\" method=\"post\">\n")
+		html.append("            <p>\n");
-				.append("            <div>\n")
+		html.append("                <strong>Note:</strong> Since your browser does not support JavaScript,\n");
-				.append("                <input type=\"hidden\" name=\"SAMLRequest\" value=\"")
+		html.append("                you must press the Continue button once to proceed.\n");
-				.append(HtmlUtils.htmlEscape(samlRequest)).append("\"/>\n");
+		html.append("            </p>\n");
 		html.append("        </noscript>\n");
 		html.append("        \n");
 		html.append("        <form action=\"");
 		html.append(authenticationRequestUri);
 		html.append("\" method=\"post\">\n");
 		html.append("            <div>\n");
 		html.append("                <input type=\"hidden\" name=\"SAMLRequest\" value=\"");
 		html.append(HtmlUtils.htmlEscape(samlRequest));
 		html.append("\"/>\n");
 		if (StringUtils.hasText(relayState)) {
-			postHtml.append("                <input type=\"hidden\" name=\"RelayState\" value=\"")
+			html.append("                <input type=\"hidden\" name=\"RelayState\" value=\"");
-					.append(HtmlUtils.htmlEscape(relayState)).append("\"/>\n");
+			html.append(HtmlUtils.htmlEscape(relayState));
 			html.append("\"/>\n");
 		}
-		postHtml.append("            </div>\n").append("            <noscript>\n").append("                <div>\n")
+		html.append("            </div>\n");
-				.append("                    <input type=\"submit\" value=\"Continue\"/>\n")
+		html.append("            <noscript>\n");
-				.append("                </div>\n").append("            </noscript>\n").append("        </form>\n")
+		html.append("                <div>\n");
-				.append("        \n").append("    </body>\n").append("</html>");
+		html.append("                    <input type=\"submit\" value=\"Continue\"/>\n");
-		return postHtml.toString();
+		html.append("                </div>\n");
 		html.append("            </noscript>\n");
 		html.append("        </form>\n");
 		html.append("        \n");
 		html.append("    </body>\n");
 		html.append("</html>");
 		return html.toString();
 	}
 }
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultRelyingPartyRegistrationResolver.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultRelyingPartyRegistrationResolver.java
@ -52,7 +52,6 @@ public final class DefaultRelyingPartyRegistrationResolver
 	public DefaultRelyingPartyRegistrationResolver(
 			RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
 		Assert.notNull(relyingPartyRegistrationRepository, "relyingPartyRegistrationRepository cannot be null");
 		this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
 	}
@ -68,7 +67,6 @@ public final class DefaultRelyingPartyRegistrationResolver
 		if (relyingPartyRegistration == null) {
 			return null;
 		}
 		String applicationUri = getApplicationUri(request);
 		Function<String, String> templateResolver = templateResolver(applicationUri, relyingPartyRegistration);
 		String relyingPartyEntityId = templateResolver.apply(relyingPartyRegistration.getEntityId());
@ -104,7 +102,6 @@ public final class DefaultRelyingPartyRegistrationResolver
 		uriVariables.put("baseUrl", uriComponents.toUriString());
 		uriVariables.put("entityId", StringUtils.hasText(entityId) ? entityId : "");
 		uriVariables.put("registrationId", StringUtils.hasText(registrationId) ? registrationId : "");
 		return UriComponentsBuilder.fromUriString(template).buildAndExpand(uriVariables).toUriString();
 	}
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultSaml2AuthenticationRequestContextResolver.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultSaml2AuthenticationRequestContextResolver.java
@ -47,9 +47,6 @@ public final class DefaultSaml2AuthenticationRequestContextResolver
 		this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
 	}
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
 	public Saml2AuthenticationRequestContext resolve(HttpServletRequest request) {
 		Assert.notNull(request, "request cannot be null");
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java
@ -60,9 +60,6 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo
 		this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
 	}
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
 	public Saml2AuthenticationToken convert(HttpServletRequest request) {
 		RelyingPartyRegistration relyingPartyRegistration = this.relyingPartyRegistrationResolver.convert(request);
@ -82,10 +79,8 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo
 		if (HttpMethod.GET.matches(request.getMethod())) {
 			return samlInflate(b);
 		}
 		else {
 		return new String(b, StandardCharsets.UTF_8);
 	}
 	}
 	private byte[] samlDecode(String s) {
 		return BASE64.decode(s);
@ -94,9 +89,9 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo
 	private String samlInflate(byte[] b) {
 		try {
 			ByteArrayOutputStream out = new ByteArrayOutputStream();
-			InflaterOutputStream iout = new InflaterOutputStream(out, new Inflater(true));
+			InflaterOutputStream inflaterOutputStream = new InflaterOutputStream(out, new Inflater(true));
-			iout.write(b);
+			inflaterOutputStream.write(b);
-			iout.finish();
+			inflaterOutputStream.finish();
 			return new String(out.toByteArray(), StandardCharsets.UTF_8);
 		}
 		catch (IOException ex) {
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2MetadataFilter.java
@ -60,19 +60,16 @@ public final class Saml2MetadataFilter extends OncePerRequestFilter {
 	@Override
 	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
 			throws ServletException, IOException {
 		RequestMatcher.MatchResult matcher = this.requestMatcher.matcher(request);
 		if (!matcher.isMatch()) {
 			chain.doFilter(request, response);
 			return;
 		}
 		RelyingPartyRegistration relyingPartyRegistration = this.relyingPartyRegistrationConverter.convert(request);
 		if (relyingPartyRegistration == null) {
 			response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
 			return;
 		}
 		String metadata = this.saml2MetadataResolver.resolve(relyingPartyRegistration);
 		String registrationId = relyingPartyRegistration.getRegistrationId();
 		writeMetadataToResponse(response, registrationId, metadata);
@ -80,7 +77,6 @@ public final class Saml2MetadataFilter extends OncePerRequestFilter {
 	private void writeMetadataToResponse(HttpServletResponse response, String registrationId, String metadata)
 			throws IOException {
 		response.setContentType(MediaType.APPLICATION_XML_VALUE);
 		response.setHeader(HttpHeaders.CONTENT_DISPOSITION,
 				"attachment; filename=\"saml-" + registrationId + "-metadata.xml\"");
--- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/Saml2Utils.java
+++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/Saml2Utils.java
@ -45,11 +45,12 @@ public final class Saml2Utils {
 	public static byte[] samlDeflate(String s) {
 		try {
-			ByteArrayOutputStream b = new ByteArrayOutputStream();
+			ByteArrayOutputStream out = new ByteArrayOutputStream();
-			DeflaterOutputStream deflater = new DeflaterOutputStream(b, new Deflater(Deflater.DEFLATED, true));
+			DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(out,
-			deflater.write(s.getBytes(StandardCharsets.UTF_8));
+					new Deflater(Deflater.DEFLATED, true));
-			deflater.finish();
+			deflaterOutputStream.write(s.getBytes(StandardCharsets.UTF_8));
-			return b.toByteArray();
+			deflaterOutputStream.finish();
 			return out.toByteArray();
 		}
 		catch (IOException ex) {
 			throw new Saml2Exception("Unable to deflate string", ex);
@ -59,9 +60,9 @@ public final class Saml2Utils {
 	public static String samlInflate(byte[] b) {
 		try {
 			ByteArrayOutputStream out = new ByteArrayOutputStream();
-			InflaterOutputStream iout = new InflaterOutputStream(out, new Inflater(true));
+			InflaterOutputStream inflaterOutputStream = new InflaterOutputStream(out, new Inflater(true));
-			iout.write(b);
+			inflaterOutputStream.write(b);
-			iout.finish();
+			inflaterOutputStream.finish();
 			return new String(out.toByteArray(), StandardCharsets.UTF_8);
 		}
 		catch (IOException ex) {