mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-03-01 10:59:16 +00:00
Polish spring-security-saml2 main code
Manually polish `spring-security-saml2` following the formatting and checkstyle fixes. Issue gh-8945
This commit is contained in:
Phillip Webb
Rob Winch
parent
e8094b8cf2
commit
1f03608b73
@ -118,27 +118,15 @@ public final class OpenSamlInitializationService {
|
||||
private static boolean initialize(Consumer<XMLObjectProviderRegistry> registryConsumer) {
|
||||
if (initialized.compareAndSet(false, true)) {
|
||||
log.trace("Initializing OpenSAML");
|
||||
|
||||
try {
|
||||
InitializationService.initialize();
|
||||
}
|
||||
catch (Exception ex) {
|
||||
throw new Saml2Exception(ex);
|
||||
}
|
||||
|
||||
BasicParserPool parserPool = new BasicParserPool();
|
||||
parserPool.setMaxPoolSize(50);
|
||||
|
||||
Map<String, Boolean> parserBuilderFeatures = new HashMap<>();
|
||||
parserBuilderFeatures.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE);
|
||||
parserBuilderFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
|
||||
parserBuilderFeatures.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE);
|
||||
parserBuilderFeatures.put("http://apache.org/xml/features/validation/schema/normalized-value",
|
||||
Boolean.FALSE);
|
||||
parserBuilderFeatures.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE);
|
||||
parserBuilderFeatures.put("http://apache.org/xml/features/dom/defer-node-expansion", Boolean.FALSE);
|
||||
parserPool.setBuilderFeatures(parserBuilderFeatures);
|
||||
|
||||
parserPool.setBuilderFeatures(getParserBuilderFeatures());
|
||||
try {
|
||||
parserPool.initialize();
|
||||
}
|
||||
@ -146,16 +134,23 @@ public final class OpenSamlInitializationService {
|
||||
throw new Saml2Exception(ex);
|
||||
}
|
||||
XMLObjectProviderRegistrySupport.setParserPool(parserPool);
|
||||
|
||||
registryConsumer.accept(ConfigurationService.get(XMLObjectProviderRegistry.class));
|
||||
|
||||
log.debug("Initialized OpenSAML");
|
||||
return true;
|
||||
}
|
||||
else {
|
||||
log.debug("Refused to re-initialize OpenSAML");
|
||||
return false;
|
||||
}
|
||||
|
||||
private static Map<String, Boolean> getParserBuilderFeatures() {
|
||||
Map<String, Boolean> parserBuilderFeatures = new HashMap<>();
|
||||
parserBuilderFeatures.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE);
|
||||
parserBuilderFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
|
||||
parserBuilderFeatures.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE);
|
||||
parserBuilderFeatures.put("http://apache.org/xml/features/validation/schema/normalized-value", Boolean.FALSE);
|
||||
parserBuilderFeatures.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE);
|
||||
parserBuilderFeatures.put("http://apache.org/xml/features/dom/defer-node-expansion", Boolean.FALSE);
|
||||
return parserBuilderFeatures;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -37,12 +37,6 @@ import org.springframework.util.Assert;
|
||||
*/
|
||||
public final class Saml2X509Credential {
|
||||
|
||||
public enum Saml2X509CredentialType {
|
||||
|
||||
VERIFICATION, ENCRYPTION, SIGNING, DECRYPTION,
|
||||
|
||||
}
|
||||
|
||||
private final PrivateKey privateKey;
|
||||
|
||||
private final X509Certificate certificate;
|
||||
@ -225,4 +219,16 @@ public final class Saml2X509Credential {
|
||||
}
|
||||
}
|
||||
|
||||
public enum Saml2X509CredentialType {
|
||||
|
||||
VERIFICATION,
|
||||
|
||||
ENCRYPTION,
|
||||
|
||||
SIGNING,
|
||||
|
||||
DECRYPTION,
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -39,18 +39,6 @@ import org.springframework.util.Assert;
|
||||
@Deprecated
|
||||
public class Saml2X509Credential {
|
||||
|
||||
/**
|
||||
* @deprecated Use
|
||||
* {@link org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType}
|
||||
* instead
|
||||
*/
|
||||
@Deprecated
|
||||
public enum Saml2X509CredentialType {
|
||||
|
||||
VERIFICATION, ENCRYPTION, SIGNING, DECRYPTION,
|
||||
|
||||
}
|
||||
|
||||
private final PrivateKey privateKey;
|
||||
|
||||
private final X509Certificate certificate;
|
||||
@ -199,4 +187,22 @@ public class Saml2X509Credential {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated Use
|
||||
* {@link org.springframework.security.saml2.core.Saml2X509Credential.Saml2X509CredentialType}
|
||||
* instead
|
||||
*/
|
||||
@Deprecated
|
||||
public enum Saml2X509CredentialType {
|
||||
|
||||
VERIFICATION,
|
||||
|
||||
ENCRYPTION,
|
||||
|
||||
SIGNING,
|
||||
|
||||
DECRYPTION,
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -37,7 +37,6 @@ public class DefaultSaml2AuthenticatedPrincipal implements Saml2AuthenticatedPri
|
||||
public DefaultSaml2AuthenticatedPrincipal(String name, Map<String, List<Object>> attributes) {
|
||||
Assert.notNull(name, "name cannot be null");
|
||||
Assert.notNull(attributes, "attributes cannot be null");
|
||||
|
||||
this.name = name;
|
||||
this.attributes = attributes;
|
||||
}
|
||||
|
||||
@ -100,6 +100,7 @@ import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
|
||||
import org.springframework.core.convert.converter.Converter;
|
||||
import org.springframework.core.log.LogMessage;
|
||||
import org.springframework.security.authentication.AbstractAuthenticationToken;
|
||||
import org.springframework.security.authentication.AuthenticationProvider;
|
||||
import org.springframework.security.core.Authentication;
|
||||
@ -182,24 +183,16 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
|
||||
private Duration responseTimeValidationSkew = Duration.ofMinutes(5);
|
||||
|
||||
private Function<Saml2AuthenticationToken, Converter<Response, AbstractAuthenticationToken>> authenticationConverter = (
|
||||
token) -> (response) -> {
|
||||
Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
|
||||
String username = assertion.getSubject().getNameID().getValue();
|
||||
Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
|
||||
return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
|
||||
token.getSaml2Response(),
|
||||
this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)));
|
||||
};
|
||||
private Function<Saml2AuthenticationToken, Converter<Response, AbstractAuthenticationToken>> authenticationConverter = this::getAuthenticationConverter;
|
||||
|
||||
private Converter<Saml2AuthenticationToken, SignatureTrustEngine> signatureTrustEngineConverter = new SignatureTrustEngineConverter();
|
||||
|
||||
private Converter<Tuple, SAML20AssertionValidator> assertionValidatorConverter = new SAML20AssertionValidatorConverter();
|
||||
private Converter<TokenAndResponse, SAML20AssertionValidator> assertionValidatorConverter = new SAML20AssertionValidatorConverter();
|
||||
|
||||
private Collection<ConditionValidator> conditionValidators = Collections
|
||||
.singleton(new AudienceRestrictionConditionValidator());
|
||||
|
||||
private Converter<Tuple, ValidationContext> validationContextConverter = new ValidationContextConverter();
|
||||
private Converter<TokenAndResponse, ValidationContext> validationContextConverter = new ValidationContextConverter();
|
||||
|
||||
private Converter<Saml2AuthenticationToken, Decrypter> decrypterConverter = new DecrypterConverter();
|
||||
|
||||
@ -220,7 +213,6 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
* @since 5.4
|
||||
*/
|
||||
public void setConditionValidators(Collection<ConditionValidator> conditionValidators) {
|
||||
|
||||
Assert.notEmpty(conditionValidators, "conditionValidators cannot be empty");
|
||||
this.conditionValidators = conditionValidators;
|
||||
}
|
||||
@ -231,8 +223,8 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
* @param validationContextConverter the strategy to use
|
||||
* @since 5.4
|
||||
*/
|
||||
public void setValidationContextConverter(Converter<Tuple, ValidationContext> validationContextConverter) {
|
||||
|
||||
public void setValidationContextConverter(
|
||||
Converter<TokenAndResponse, ValidationContext> validationContextConverter) {
|
||||
Assert.notNull(validationContextConverter, "validationContextConverter cannot be empty");
|
||||
this.validationContextConverter = validationContextConverter;
|
||||
}
|
||||
@ -289,13 +281,10 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
throw ex;
|
||||
}
|
||||
catch (Exception ex) {
|
||||
throw authException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, ex.getMessage(), ex);
|
||||
throw createAuthenticationException(Saml2ErrorCodes.INTERNAL_VALIDATION_ERROR, ex.getMessage(), ex);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public boolean supports(Class<?> authentication) {
|
||||
return authentication != null && Saml2AuthenticationToken.class.isAssignableFrom(authentication);
|
||||
@ -313,39 +302,32 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
return (Response) this.responseUnmarshaller.unmarshall(element);
|
||||
}
|
||||
catch (Exception ex) {
|
||||
throw authException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, ex.getMessage(), ex);
|
||||
throw createAuthenticationException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, ex.getMessage(), ex);
|
||||
}
|
||||
}
|
||||
|
||||
private void process(Saml2AuthenticationToken token, Response response) {
|
||||
String issuer = response.getIssuer().getValue();
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Processing SAML response from " + issuer);
|
||||
}
|
||||
|
||||
logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
|
||||
boolean responseSigned = response.isSigned();
|
||||
Map<String, Saml2AuthenticationException> validationExceptions = validateResponse(token, response);
|
||||
|
||||
Decrypter decrypter = this.decrypterConverter.convert(token);
|
||||
List<Assertion> assertions = decryptAssertions(decrypter, response);
|
||||
if (!isSigned(responseSigned, assertions)) {
|
||||
throw authException(Saml2ErrorCodes.INVALID_SIGNATURE,
|
||||
"Either the response or one of the assertions is unsigned. "
|
||||
+ "Please either sign the response or all of the assertions.");
|
||||
String description = "Either the response or one of the assertions is unsigned. "
|
||||
+ "Please either sign the response or all of the assertions.";
|
||||
throw createAuthenticationException(Saml2ErrorCodes.INVALID_SIGNATURE, description, null);
|
||||
}
|
||||
validationExceptions.putAll(validateAssertions(token, response));
|
||||
|
||||
Assertion firstAssertion = CollectionUtils.firstElement(response.getAssertions());
|
||||
NameID nameId = decryptPrincipal(decrypter, firstAssertion);
|
||||
if (nameId == null || nameId.getValue() == null) {
|
||||
validationExceptions.put(Saml2ErrorCodes.SUBJECT_NOT_FOUND, authException(Saml2ErrorCodes.SUBJECT_NOT_FOUND,
|
||||
"Assertion [" + firstAssertion.getID() + "] is missing a subject"));
|
||||
String description = "Assertion [" + firstAssertion.getID() + "] is missing a subject";
|
||||
validationExceptions.put(Saml2ErrorCodes.SUBJECT_NOT_FOUND,
|
||||
createAuthenticationException(Saml2ErrorCodes.SUBJECT_NOT_FOUND, description, null));
|
||||
}
|
||||
|
||||
if (validationExceptions.isEmpty()) {
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Successfully processed SAML Response [" + response.getID() + "]");
|
||||
}
|
||||
logger.debug(LogMessage.of(() -> "Successfully processed SAML Response [" + response.getID() + "]"));
|
||||
}
|
||||
else {
|
||||
if (logger.isTraceEnabled()) {
|
||||
@ -357,7 +339,6 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
+ response.getID() + "]");
|
||||
}
|
||||
}
|
||||
|
||||
if (!validationExceptions.isEmpty()) {
|
||||
throw validationExceptions.values().iterator().next();
|
||||
}
|
||||
@ -365,21 +346,17 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
|
||||
private Map<String, Saml2AuthenticationException> validateResponse(Saml2AuthenticationToken token,
|
||||
Response response) {
|
||||
|
||||
Map<String, Saml2AuthenticationException> validationExceptions = new HashMap<>();
|
||||
Map<String, Saml2AuthenticationException> exceptions = new HashMap<>();
|
||||
String issuer = response.getIssuer().getValue();
|
||||
|
||||
if (response.isSigned()) {
|
||||
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
|
||||
try {
|
||||
profileValidator.validate(response.getSignature());
|
||||
}
|
||||
catch (Exception ex) {
|
||||
validationExceptions.put(Saml2ErrorCodes.INVALID_SIGNATURE,
|
||||
authException(Saml2ErrorCodes.INVALID_SIGNATURE,
|
||||
"Invalid signature for SAML Response [" + response.getID() + "]: ", ex));
|
||||
String message = "Invalid signature for SAML Response [" + response.getID() + "]: ";
|
||||
addValidationException(exceptions, Saml2ErrorCodes.INVALID_SIGNATURE, message, ex);
|
||||
}
|
||||
|
||||
try {
|
||||
CriteriaSet criteriaSet = new CriteriaSet();
|
||||
criteriaSet.add(new EvaluableEntityIDCredentialCriterion(new EntityIdCriterion(issuer)));
|
||||
@ -387,34 +364,27 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
new EvaluableProtocolRoleDescriptorCriterion(new ProtocolCriterion(SAMLConstants.SAML20P_NS)));
|
||||
criteriaSet.add(new EvaluableUsageCredentialCriterion(new UsageCriterion(UsageType.SIGNING)));
|
||||
if (!this.signatureTrustEngineConverter.convert(token).validate(response.getSignature(), criteriaSet)) {
|
||||
validationExceptions.put(Saml2ErrorCodes.INVALID_SIGNATURE,
|
||||
authException(Saml2ErrorCodes.INVALID_SIGNATURE,
|
||||
"Invalid signature for SAML Response [" + response.getID() + "]"));
|
||||
String message = "Invalid signature for SAML Response [" + response.getID() + "]";
|
||||
addValidationException(exceptions, Saml2ErrorCodes.INVALID_SIGNATURE, message, null);
|
||||
}
|
||||
}
|
||||
catch (Exception ex) {
|
||||
validationExceptions.put(Saml2ErrorCodes.INVALID_SIGNATURE,
|
||||
authException(Saml2ErrorCodes.INVALID_SIGNATURE,
|
||||
"Invalid signature for SAML Response [" + response.getID() + "]: ", ex));
|
||||
String message = "Invalid signature for SAML Response [" + response.getID() + "]: ";
|
||||
addValidationException(exceptions, Saml2ErrorCodes.INVALID_SIGNATURE, message, ex);
|
||||
}
|
||||
}
|
||||
|
||||
String destination = response.getDestination();
|
||||
String location = token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
|
||||
if (StringUtils.hasText(destination) && !destination.equals(location)) {
|
||||
String message = "Invalid destination [" + destination + "] for SAML response [" + response.getID() + "]";
|
||||
validationExceptions.put(Saml2ErrorCodes.INVALID_DESTINATION,
|
||||
authException(Saml2ErrorCodes.INVALID_DESTINATION, message));
|
||||
addValidationException(exceptions, Saml2ErrorCodes.INVALID_DESTINATION, message, null);
|
||||
}
|
||||
|
||||
String assertingPartyEntityId = token.getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId();
|
||||
if (!StringUtils.hasText(issuer) || !issuer.equals(assertingPartyEntityId)) {
|
||||
String message = String.format("Invalid issuer [%s] for SAML response [%s]", issuer, response.getID());
|
||||
validationExceptions.put(Saml2ErrorCodes.INVALID_ISSUER,
|
||||
authException(Saml2ErrorCodes.INVALID_ISSUER, message));
|
||||
addValidationException(exceptions, Saml2ErrorCodes.INVALID_ISSUER, message, null);
|
||||
}
|
||||
|
||||
return validationExceptions;
|
||||
return exceptions;
|
||||
}
|
||||
|
||||
private List<Assertion> decryptAssertions(Decrypter decrypter, Response response) {
|
||||
@ -425,7 +395,7 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
assertions.add(assertion);
|
||||
}
|
||||
catch (DecryptionException ex) {
|
||||
throw authException(Saml2ErrorCodes.DECRYPTION_ERROR, ex.getMessage(), ex);
|
||||
throw createAuthenticationException(Saml2ErrorCodes.DECRYPTION_ERROR, ex.getMessage(), ex);
|
||||
}
|
||||
}
|
||||
response.getAssertions().addAll(assertions);
|
||||
@ -436,52 +406,47 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
Response response) {
|
||||
List<Assertion> assertions = response.getAssertions();
|
||||
if (assertions.isEmpty()) {
|
||||
throw authException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA, "No assertions found in response.");
|
||||
throw createAuthenticationException(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA,
|
||||
"No assertions found in response.", null);
|
||||
}
|
||||
|
||||
Map<String, Saml2AuthenticationException> validationExceptions = new LinkedHashMap<>();
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Validating " + assertions.size() + " assertions");
|
||||
}
|
||||
|
||||
Tuple tuple = new Tuple(token, response);
|
||||
Map<String, Saml2AuthenticationException> exceptions = new LinkedHashMap<>();
|
||||
logger.debug(LogMessage.format("Validating %s assertions", assertions.size()));
|
||||
TokenAndResponse tuple = new TokenAndResponse(token, response);
|
||||
SAML20AssertionValidator validator = this.assertionValidatorConverter.convert(tuple);
|
||||
ValidationContext context = this.validationContextConverter.convert(tuple);
|
||||
for (Assertion assertion : assertions) {
|
||||
if (logger.isTraceEnabled()) {
|
||||
logger.trace("Validating assertion " + assertion.getID());
|
||||
}
|
||||
logger.trace(LogMessage.format("Validating assertion %s", assertion.getID()));
|
||||
try {
|
||||
if (validator.validate(assertion, context) != ValidationResult.VALID) {
|
||||
String message = String.format("Invalid assertion [%s] for SAML response [%s]: %s",
|
||||
assertion.getID(), ((Response) assertion.getParent()).getID(),
|
||||
context.getValidationFailureMessage());
|
||||
validationExceptions.put(Saml2ErrorCodes.INVALID_ASSERTION,
|
||||
authException(Saml2ErrorCodes.INVALID_ASSERTION, message));
|
||||
addValidationException(exceptions, Saml2ErrorCodes.INVALID_ASSERTION, message, null);
|
||||
}
|
||||
}
|
||||
catch (Exception ex) {
|
||||
String message = String.format("Invalid assertion [%s] for SAML response [%s]: %s", assertion.getID(),
|
||||
((Response) assertion.getParent()).getID(), ex.getMessage());
|
||||
validationExceptions.put(Saml2ErrorCodes.INVALID_ASSERTION,
|
||||
authException(Saml2ErrorCodes.INVALID_ASSERTION, message, ex));
|
||||
addValidationException(exceptions, Saml2ErrorCodes.INVALID_ASSERTION, message, ex);
|
||||
}
|
||||
}
|
||||
return exceptions;
|
||||
}
|
||||
|
||||
return validationExceptions;
|
||||
private void addValidationException(Map<String, Saml2AuthenticationException> exceptions, String code,
|
||||
String message, Exception cause) {
|
||||
exceptions.put(code, createAuthenticationException(code, message, cause));
|
||||
}
|
||||
|
||||
private boolean isSigned(boolean responseSigned, List<Assertion> assertions) {
|
||||
if (responseSigned) {
|
||||
return true;
|
||||
}
|
||||
|
||||
for (Assertion assertion : assertions) {
|
||||
if (!assertion.isSigned()) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -498,7 +463,7 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
return nameId;
|
||||
}
|
||||
catch (DecryptionException ex) {
|
||||
throw authException(Saml2ErrorCodes.DECRYPTION_ERROR, ex.getMessage(), ex);
|
||||
throw createAuthenticationException(Saml2ErrorCodes.DECRYPTION_ERROR, ex.getMessage(), ex);
|
||||
}
|
||||
}
|
||||
|
||||
@ -506,7 +471,6 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
Map<String, List<Object>> attributeMap = new LinkedHashMap<>();
|
||||
for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) {
|
||||
for (Attribute attribute : attributeStatement.getAttributes()) {
|
||||
|
||||
List<Object> attributeValues = new ArrayList<>();
|
||||
for (XMLObject xmlObject : attribute.getAttributeValues()) {
|
||||
Object attributeValue = getXmlObjectValue(xmlObject);
|
||||
@ -515,7 +479,6 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
}
|
||||
}
|
||||
attributeMap.put(attribute.getName(), attributeValues);
|
||||
|
||||
}
|
||||
}
|
||||
return attributeMap;
|
||||
@ -559,20 +522,22 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
return xsAny.getTextContent();
|
||||
}
|
||||
|
||||
private static Saml2Error validationError(String code, String description) {
|
||||
return new Saml2Error(code, description);
|
||||
private Converter<Response, AbstractAuthenticationToken> getAuthenticationConverter(
|
||||
Saml2AuthenticationToken token) {
|
||||
return (response) -> convertAuthenticationToken(token, response);
|
||||
}
|
||||
|
||||
private static Saml2AuthenticationException authException(String code, String description)
|
||||
throws Saml2AuthenticationException {
|
||||
|
||||
return new Saml2AuthenticationException(validationError(code, description));
|
||||
private AbstractAuthenticationToken convertAuthenticationToken(Saml2AuthenticationToken token, Response response) {
|
||||
Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
|
||||
String username = assertion.getSubject().getNameID().getValue();
|
||||
Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
|
||||
return new Saml2Authentication(new DefaultSaml2AuthenticatedPrincipal(username, attributes),
|
||||
token.getSaml2Response(), this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion)));
|
||||
}
|
||||
|
||||
private static Saml2AuthenticationException authException(String code, String description, Exception cause)
|
||||
throws Saml2AuthenticationException {
|
||||
|
||||
return new Saml2AuthenticationException(validationError(code, description), cause);
|
||||
private static Saml2AuthenticationException createAuthenticationException(String code, String message,
|
||||
Exception cause) {
|
||||
return new Saml2AuthenticationException(new Saml2Error(code, message), cause);
|
||||
}
|
||||
|
||||
private static class SignatureTrustEngineConverter
|
||||
@ -596,10 +561,10 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
|
||||
}
|
||||
|
||||
private class ValidationContextConverter implements Converter<Tuple, ValidationContext> {
|
||||
private class ValidationContextConverter implements Converter<TokenAndResponse, ValidationContext> {
|
||||
|
||||
@Override
|
||||
public ValidationContext convert(Tuple tuple) {
|
||||
public ValidationContext convert(TokenAndResponse tuple) {
|
||||
String audience = tuple.authentication.getRelyingPartyRegistration().getEntityId();
|
||||
String recipient = tuple.authentication.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
|
||||
Map<String, Object> params = new HashMap<>();
|
||||
@ -607,17 +572,14 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
OpenSamlAuthenticationProvider.this.responseTimeValidationSkew.toMillis());
|
||||
params.put(SAML2AssertionValidationParameters.COND_VALID_AUDIENCES, Collections.singleton(audience));
|
||||
params.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, Collections.singleton(recipient));
|
||||
params.put(SAML2AssertionValidationParameters.SIGNATURE_REQUIRED, false); // this
|
||||
// verification
|
||||
// is
|
||||
// performed
|
||||
// earlier
|
||||
// this verification is performed earlier
|
||||
params.put(SAML2AssertionValidationParameters.SIGNATURE_REQUIRED, false);
|
||||
return new ValidationContext(params);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
private class SAML20AssertionValidatorConverter implements Converter<Tuple, SAML20AssertionValidator> {
|
||||
private class SAML20AssertionValidatorConverter implements Converter<TokenAndResponse, SAML20AssertionValidator> {
|
||||
|
||||
private final Collection<SubjectConfirmationValidator> subjects = new ArrayList<>();
|
||||
|
||||
@ -638,7 +600,7 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
}
|
||||
|
||||
@Override
|
||||
public SAML20AssertionValidator convert(Tuple tuple) {
|
||||
public SAML20AssertionValidator convert(TokenAndResponse tuple) {
|
||||
Collection<ConditionValidator> conditions = OpenSamlAuthenticationProvider.this.conditionValidators;
|
||||
return new SAML20AssertionValidator(conditions, this.subjects, this.statements,
|
||||
OpenSamlAuthenticationProvider.this.signatureTrustEngineConverter.convert(tuple.authentication),
|
||||
@ -674,13 +636,13 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
|
||||
*
|
||||
* @since 5.4
|
||||
*/
|
||||
public static final class Tuple {
|
||||
public static final class TokenAndResponse {
|
||||
|
||||
private final Saml2AuthenticationToken authentication;
|
||||
|
||||
private final Response response;
|
||||
|
||||
private Tuple(Saml2AuthenticationToken authentication, Response response) {
|
||||
private TokenAndResponse(Saml2AuthenticationToken authentication, Response response) {
|
||||
this.authentication = authentication;
|
||||
this.response = response;
|
||||
}
|
||||
|
||||
@ -117,22 +117,15 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
|
||||
throw new IllegalArgumentException("No signing credential provided");
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Saml2PostAuthenticationRequest createPostAuthenticationRequest(Saml2AuthenticationRequestContext context) {
|
||||
AuthnRequest authnRequest = createAuthnRequest(context);
|
||||
String xml = context.getRelyingPartyRegistration().getAssertingPartyDetails().getWantAuthnRequestsSigned()
|
||||
? serialize(sign(authnRequest, context.getRelyingPartyRegistration())) : serialize(authnRequest);
|
||||
|
||||
return Saml2PostAuthenticationRequest.withAuthenticationRequestContext(context)
|
||||
.samlRequest(Saml2Utils.samlEncode(xml.getBytes(StandardCharsets.UTF_8))).build();
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest(
|
||||
Saml2AuthenticationRequestContext context) {
|
||||
@ -141,7 +134,6 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
|
||||
Builder result = Saml2RedirectAuthenticationRequest.withAuthenticationRequestContext(context);
|
||||
String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
|
||||
result.samlRequest(deflatedAndEncoded).relayState(context.getRelayState());
|
||||
|
||||
if (context.getRelyingPartyRegistration().getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
|
||||
Collection<Saml2X509Credential> signingCredentials = context.getRelyingPartyRegistration()
|
||||
.getSigningX509Credentials();
|
||||
@ -154,7 +146,6 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
|
||||
}
|
||||
throw new Saml2Exception("No signing credential provided");
|
||||
}
|
||||
|
||||
return result.build();
|
||||
}
|
||||
|
||||
@ -266,12 +257,10 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
|
||||
.append(UriUtils.encode(relayState, StandardCharsets.ISO_8859_1)).append("&");
|
||||
}
|
||||
queryString.append("SigAlg").append("=").append(UriUtils.encode(algorithmUri, StandardCharsets.ISO_8859_1));
|
||||
|
||||
try {
|
||||
byte[] rawSignature = XMLSigningUtil.signWithURI(credential, algorithmUri,
|
||||
queryString.toString().getBytes(StandardCharsets.UTF_8));
|
||||
String b64Signature = Saml2Utils.samlEncode(rawSignature);
|
||||
|
||||
Map<String, String> result = new LinkedHashMap<>();
|
||||
result.put("SAMLRequest", samlRequest);
|
||||
if (StringUtils.hasText(relayState)) {
|
||||
|
||||
@ -56,7 +56,7 @@ public class Saml2AuthenticationException extends AuthenticationException {
|
||||
* @param cause the root cause
|
||||
*/
|
||||
public Saml2AuthenticationException(Saml2Error error, Throwable cause) {
|
||||
this(error, cause.getMessage(), cause);
|
||||
this(error, (cause != null) ? cause.getMessage() : error.getDescription(), cause);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -52,7 +52,6 @@ public class Saml2AuthenticationToken extends AbstractAuthenticationToken {
|
||||
* @since 5.4
|
||||
*/
|
||||
public Saml2AuthenticationToken(RelyingPartyRegistration relyingPartyRegistration, String saml2Response) {
|
||||
|
||||
super(Collections.emptyList());
|
||||
Assert.notNull(relyingPartyRegistration, "relyingPartyRegistration cannot be null");
|
||||
Assert.notNull(saml2Response, "saml2Response cannot be null");
|
||||
|
||||
@ -60,7 +60,6 @@ public class Saml2PostAuthenticationRequest extends AbstractSaml2AuthenticationR
|
||||
public static final class Builder extends AbstractSaml2AuthenticationRequest.Builder<Builder> {
|
||||
|
||||
private Builder() {
|
||||
super();
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -87,7 +87,6 @@ public final class Saml2RedirectAuthenticationRequest extends AbstractSaml2Authe
|
||||
private String signature;
|
||||
|
||||
private Builder() {
|
||||
super();
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -67,17 +67,12 @@ public final class OpenSamlMetadataResolver implements Saml2MetadataResolver {
|
||||
Assert.notNull(this.entityDescriptorMarshaller, "entityDescriptorMarshaller cannot be null");
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public String resolve(RelyingPartyRegistration relyingPartyRegistration) {
|
||||
EntityDescriptor entityDescriptor = build(EntityDescriptor.ELEMENT_QNAME);
|
||||
entityDescriptor.setEntityID(relyingPartyRegistration.getEntityId());
|
||||
|
||||
SPSSODescriptor spSsoDescriptor = buildSpSsoDescriptor(relyingPartyRegistration);
|
||||
entityDescriptor.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).add(spSsoDescriptor);
|
||||
|
||||
return serialize(entityDescriptor);
|
||||
}
|
||||
|
||||
@ -107,17 +102,14 @@ public final class OpenSamlMetadataResolver implements Saml2MetadataResolver {
|
||||
KeyInfo keyInfo = build(KeyInfo.DEFAULT_ELEMENT_NAME);
|
||||
X509Certificate x509Certificate = build(X509Certificate.DEFAULT_ELEMENT_NAME);
|
||||
X509Data x509Data = build(X509Data.DEFAULT_ELEMENT_NAME);
|
||||
|
||||
try {
|
||||
x509Certificate.setValue(new String(Base64.getEncoder().encode(certificate.getEncoded())));
|
||||
}
|
||||
catch (CertificateEncodingException ex) {
|
||||
throw new Saml2Exception("Cannot encode certificate " + certificate.toString());
|
||||
}
|
||||
|
||||
x509Data.getX509Certificates().add(x509Certificate);
|
||||
keyInfo.getX509Datas().add(x509Data);
|
||||
|
||||
keyDescriptor.setUse(usageType);
|
||||
keyDescriptor.setKeyInfo(keyInfo);
|
||||
return keyDescriptor;
|
||||
|
||||
@ -96,37 +96,24 @@ public class OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter
|
||||
this.parserPool = registry.getParserPool();
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public boolean canRead(Class<?> clazz, MediaType mediaType) {
|
||||
return RelyingPartyRegistration.Builder.class.isAssignableFrom(clazz);
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public boolean canWrite(Class<?> clazz, MediaType mediaType) {
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public List<MediaType> getSupportedMediaTypes() {
|
||||
return Arrays.asList(MediaType.APPLICATION_XML, MediaType.TEXT_XML);
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public RelyingPartyRegistration.Builder read(Class<? extends RelyingPartyRegistration.Builder> clazz,
|
||||
HttpInputMessage inputMessage) throws IOException, HttpMessageNotReadableException {
|
||||
|
||||
EntityDescriptor descriptor = entityDescriptor(inputMessage.getBody());
|
||||
IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
|
||||
if (idpssoDescriptor == null) {
|
||||
@ -184,6 +171,32 @@ public class OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter
|
||||
"Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests");
|
||||
}
|
||||
|
||||
private List<Saml2X509Credential> getVerification(IDPSSODescriptor idpssoDescriptor) {
|
||||
List<Saml2X509Credential> verification = new ArrayList<>();
|
||||
for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
|
||||
if (keyDescriptor.getUse().equals(UsageType.SIGNING)) {
|
||||
List<X509Certificate> certificates = certificates(keyDescriptor);
|
||||
for (X509Certificate certificate : certificates) {
|
||||
verification.add(Saml2X509Credential.verification(certificate));
|
||||
}
|
||||
}
|
||||
}
|
||||
return verification;
|
||||
}
|
||||
|
||||
private List<Saml2X509Credential> getEncryption(IDPSSODescriptor idpssoDescriptor) {
|
||||
List<Saml2X509Credential> encryption = new ArrayList<>();
|
||||
for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) {
|
||||
if (keyDescriptor.getUse().equals(UsageType.ENCRYPTION)) {
|
||||
List<X509Certificate> certificates = certificates(keyDescriptor);
|
||||
for (X509Certificate certificate : certificates) {
|
||||
encryption.add(Saml2X509Credential.encryption(certificate));
|
||||
}
|
||||
}
|
||||
}
|
||||
return encryption;
|
||||
}
|
||||
|
||||
private List<X509Certificate> certificates(KeyDescriptor keyDescriptor) {
|
||||
try {
|
||||
return KeyInfoSupport.getCertificates(keyDescriptor.getKeyInfo());
|
||||
|
||||
@ -28,8 +28,6 @@ import java.util.function.Consumer;
|
||||
import java.util.function.Function;
|
||||
|
||||
import org.springframework.security.saml2.core.Saml2X509Credential;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.ProviderDetails;
|
||||
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
@ -94,7 +92,6 @@ public final class RelyingPartyRegistration {
|
||||
Collection<org.springframework.security.saml2.credentials.Saml2X509Credential> credentials,
|
||||
Collection<Saml2X509Credential> decryptionX509Credentials,
|
||||
Collection<Saml2X509Credential> signingX509Credentials) {
|
||||
|
||||
Assert.hasText(registrationId, "registrationId cannot be empty");
|
||||
Assert.hasText(entityId, "entityId cannot be empty");
|
||||
Assert.hasText(assertionConsumerServiceLocation, "assertionConsumerServiceLocation cannot be empty");
|
||||
@ -332,7 +329,6 @@ public final class RelyingPartyRegistration {
|
||||
|
||||
private List<org.springframework.security.saml2.credentials.Saml2X509Credential> filterCredentials(
|
||||
Function<org.springframework.security.saml2.credentials.Saml2X509Credential, Boolean> filter) {
|
||||
|
||||
List<org.springframework.security.saml2.credentials.Saml2X509Credential> result = new LinkedList<>();
|
||||
for (org.springframework.security.saml2.credentials.Saml2X509Credential c : this.credentials) {
|
||||
if (filter.apply(c)) {
|
||||
@ -447,7 +443,6 @@ public final class RelyingPartyRegistration {
|
||||
Collection<Saml2X509Credential> verificationX509Credentials,
|
||||
Collection<Saml2X509Credential> encryptionX509Credentials, String singleSignOnServiceLocation,
|
||||
Saml2MessageBinding singleSignOnServiceBinding) {
|
||||
|
||||
Assert.hasText(entityId, "entityId cannot be null or empty");
|
||||
Assert.notNull(verificationX509Credentials, "verificationX509Credentials cannot be null");
|
||||
for (Saml2X509Credential credential : verificationX509Credentials) {
|
||||
@ -1038,7 +1033,6 @@ public final class RelyingPartyRegistration {
|
||||
for (Saml2X509Credential credential : this.providerDetails.assertingPartyDetailsBuilder.encryptionX509Credentials) {
|
||||
this.credentials.add(toDeprecated(credential));
|
||||
}
|
||||
|
||||
return new RelyingPartyRegistration(this.registrationId, this.entityId,
|
||||
this.assertionConsumerServiceLocation, this.assertionConsumerServiceBinding,
|
||||
this.providerDetails.build(), this.credentials, this.decryptionX509Credentials,
|
||||
|
||||
@ -41,7 +41,6 @@ final class Saml2ServletUtils {
|
||||
if (!StringUtils.hasText(template)) {
|
||||
return baseUrl;
|
||||
}
|
||||
|
||||
String entityId = relyingParty.getAssertingPartyDetails().getEntityId();
|
||||
String registrationId = relyingParty.getRegistrationId();
|
||||
Map<String, String> uriVariables = new HashMap<>();
|
||||
@ -64,7 +63,6 @@ final class Saml2ServletUtils {
|
||||
uriVariables.put("baseUrl", uriComponents.toUriString());
|
||||
uriVariables.put("entityId", StringUtils.hasText(entityId) ? entityId : "");
|
||||
uriVariables.put("registrationId", StringUtils.hasText(registrationId) ? registrationId : "");
|
||||
|
||||
return UriComponentsBuilder.fromUriString(template).buildAndExpand(uriVariables).toUriString();
|
||||
}
|
||||
|
||||
|
||||
@ -131,13 +131,9 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter
|
||||
this.redirectMatcher = redirectMatcher;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
|
||||
throws ServletException, IOException {
|
||||
|
||||
MatchResult matcher = this.redirectMatcher.matcher(request);
|
||||
if (!matcher.isMatch()) {
|
||||
filterChain.doFilter(request, response);
|
||||
@ -192,26 +188,42 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter
|
||||
String authenticationRequestUri = authenticationRequest.getAuthenticationRequestUri();
|
||||
String relayState = authenticationRequest.getRelayState();
|
||||
String samlRequest = authenticationRequest.getSamlRequest();
|
||||
StringBuilder postHtml = new StringBuilder().append("<!DOCTYPE html>\n").append("<html>\n")
|
||||
.append(" <head>\n").append(" <meta charset=\"utf-8\" />\n").append(" </head>\n")
|
||||
.append(" <body onload=\"document.forms[0].submit()\">\n").append(" <noscript>\n")
|
||||
.append(" <p>\n")
|
||||
.append(" <strong>Note:</strong> Since your browser does not support JavaScript,\n")
|
||||
.append(" you must press the Continue button once to proceed.\n")
|
||||
.append(" </p>\n").append(" </noscript>\n").append(" \n")
|
||||
.append(" <form action=\"").append(authenticationRequestUri).append("\" method=\"post\">\n")
|
||||
.append(" <div>\n")
|
||||
.append(" <input type=\"hidden\" name=\"SAMLRequest\" value=\"")
|
||||
.append(HtmlUtils.htmlEscape(samlRequest)).append("\"/>\n");
|
||||
StringBuilder html = new StringBuilder();
|
||||
html.append("<!DOCTYPE html>\n");
|
||||
html.append("<html>\n").append(" <head>\n");
|
||||
html.append(" <meta charset=\"utf-8\" />\n");
|
||||
html.append(" </head>\n");
|
||||
html.append(" <body onload=\"document.forms[0].submit()\">\n");
|
||||
html.append(" <noscript>\n");
|
||||
html.append(" <p>\n");
|
||||
html.append(" <strong>Note:</strong> Since your browser does not support JavaScript,\n");
|
||||
html.append(" you must press the Continue button once to proceed.\n");
|
||||
html.append(" </p>\n");
|
||||
html.append(" </noscript>\n");
|
||||
html.append(" \n");
|
||||
html.append(" <form action=\"");
|
||||
html.append(authenticationRequestUri);
|
||||
html.append("\" method=\"post\">\n");
|
||||
html.append(" <div>\n");
|
||||
html.append(" <input type=\"hidden\" name=\"SAMLRequest\" value=\"");
|
||||
html.append(HtmlUtils.htmlEscape(samlRequest));
|
||||
html.append("\"/>\n");
|
||||
if (StringUtils.hasText(relayState)) {
|
||||
postHtml.append(" <input type=\"hidden\" name=\"RelayState\" value=\"")
|
||||
.append(HtmlUtils.htmlEscape(relayState)).append("\"/>\n");
|
||||
html.append(" <input type=\"hidden\" name=\"RelayState\" value=\"");
|
||||
html.append(HtmlUtils.htmlEscape(relayState));
|
||||
html.append("\"/>\n");
|
||||
}
|
||||
postHtml.append(" </div>\n").append(" <noscript>\n").append(" <div>\n")
|
||||
.append(" <input type=\"submit\" value=\"Continue\"/>\n")
|
||||
.append(" </div>\n").append(" </noscript>\n").append(" </form>\n")
|
||||
.append(" \n").append(" </body>\n").append("</html>");
|
||||
return postHtml.toString();
|
||||
html.append(" </div>\n");
|
||||
html.append(" <noscript>\n");
|
||||
html.append(" <div>\n");
|
||||
html.append(" <input type=\"submit\" value=\"Continue\"/>\n");
|
||||
html.append(" </div>\n");
|
||||
html.append(" </noscript>\n");
|
||||
html.append(" </form>\n");
|
||||
html.append(" \n");
|
||||
html.append(" </body>\n");
|
||||
html.append("</html>");
|
||||
return html.toString();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -52,7 +52,6 @@ public final class DefaultRelyingPartyRegistrationResolver
|
||||
|
||||
public DefaultRelyingPartyRegistrationResolver(
|
||||
RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
|
||||
|
||||
Assert.notNull(relyingPartyRegistrationRepository, "relyingPartyRegistrationRepository cannot be null");
|
||||
this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
|
||||
}
|
||||
@ -68,7 +67,6 @@ public final class DefaultRelyingPartyRegistrationResolver
|
||||
if (relyingPartyRegistration == null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
String applicationUri = getApplicationUri(request);
|
||||
Function<String, String> templateResolver = templateResolver(applicationUri, relyingPartyRegistration);
|
||||
String relyingPartyEntityId = templateResolver.apply(relyingPartyRegistration.getEntityId());
|
||||
@ -104,7 +102,6 @@ public final class DefaultRelyingPartyRegistrationResolver
|
||||
uriVariables.put("baseUrl", uriComponents.toUriString());
|
||||
uriVariables.put("entityId", StringUtils.hasText(entityId) ? entityId : "");
|
||||
uriVariables.put("registrationId", StringUtils.hasText(registrationId) ? registrationId : "");
|
||||
|
||||
return UriComponentsBuilder.fromUriString(template).buildAndExpand(uriVariables).toUriString();
|
||||
}
|
||||
|
||||
|
||||
@ -47,9 +47,6 @@ public final class DefaultSaml2AuthenticationRequestContextResolver
|
||||
this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Saml2AuthenticationRequestContext resolve(HttpServletRequest request) {
|
||||
Assert.notNull(request, "request cannot be null");
|
||||
|
||||
@ -60,9 +60,6 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo
|
||||
this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@Override
|
||||
public Saml2AuthenticationToken convert(HttpServletRequest request) {
|
||||
RelyingPartyRegistration relyingPartyRegistration = this.relyingPartyRegistrationResolver.convert(request);
|
||||
@ -82,10 +79,8 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo
|
||||
if (HttpMethod.GET.matches(request.getMethod())) {
|
||||
return samlInflate(b);
|
||||
}
|
||||
else {
|
||||
return new String(b, StandardCharsets.UTF_8);
|
||||
}
|
||||
}
|
||||
|
||||
private byte[] samlDecode(String s) {
|
||||
return BASE64.decode(s);
|
||||
@ -94,9 +89,9 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo
|
||||
private String samlInflate(byte[] b) {
|
||||
try {
|
||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
InflaterOutputStream iout = new InflaterOutputStream(out, new Inflater(true));
|
||||
iout.write(b);
|
||||
iout.finish();
|
||||
InflaterOutputStream inflaterOutputStream = new InflaterOutputStream(out, new Inflater(true));
|
||||
inflaterOutputStream.write(b);
|
||||
inflaterOutputStream.finish();
|
||||
return new String(out.toByteArray(), StandardCharsets.UTF_8);
|
||||
}
|
||||
catch (IOException ex) {
|
||||
|
||||
@ -60,19 +60,16 @@ public final class Saml2MetadataFilter extends OncePerRequestFilter {
|
||||
@Override
|
||||
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
|
||||
throws ServletException, IOException {
|
||||
|
||||
RequestMatcher.MatchResult matcher = this.requestMatcher.matcher(request);
|
||||
if (!matcher.isMatch()) {
|
||||
chain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
|
||||
RelyingPartyRegistration relyingPartyRegistration = this.relyingPartyRegistrationConverter.convert(request);
|
||||
if (relyingPartyRegistration == null) {
|
||||
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
||||
return;
|
||||
}
|
||||
|
||||
String metadata = this.saml2MetadataResolver.resolve(relyingPartyRegistration);
|
||||
String registrationId = relyingPartyRegistration.getRegistrationId();
|
||||
writeMetadataToResponse(response, registrationId, metadata);
|
||||
@ -80,7 +77,6 @@ public final class Saml2MetadataFilter extends OncePerRequestFilter {
|
||||
|
||||
private void writeMetadataToResponse(HttpServletResponse response, String registrationId, String metadata)
|
||||
throws IOException {
|
||||
|
||||
response.setContentType(MediaType.APPLICATION_XML_VALUE);
|
||||
response.setHeader(HttpHeaders.CONTENT_DISPOSITION,
|
||||
"attachment; filename=\"saml-" + registrationId + "-metadata.xml\"");
|
||||
|
||||
@ -45,11 +45,12 @@ public final class Saml2Utils {
|
||||
|
||||
public static byte[] samlDeflate(String s) {
|
||||
try {
|
||||
ByteArrayOutputStream b = new ByteArrayOutputStream();
|
||||
DeflaterOutputStream deflater = new DeflaterOutputStream(b, new Deflater(Deflater.DEFLATED, true));
|
||||
deflater.write(s.getBytes(StandardCharsets.UTF_8));
|
||||
deflater.finish();
|
||||
return b.toByteArray();
|
||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(out,
|
||||
new Deflater(Deflater.DEFLATED, true));
|
||||
deflaterOutputStream.write(s.getBytes(StandardCharsets.UTF_8));
|
||||
deflaterOutputStream.finish();
|
||||
return out.toByteArray();
|
||||
}
|
||||
catch (IOException ex) {
|
||||
throw new Saml2Exception("Unable to deflate string", ex);
|
||||
@ -59,9 +60,9 @@ public final class Saml2Utils {
|
||||
public static String samlInflate(byte[] b) {
|
||||
try {
|
||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
InflaterOutputStream iout = new InflaterOutputStream(out, new Inflater(true));
|
||||
iout.write(b);
|
||||
iout.finish();
|
||||
InflaterOutputStream inflaterOutputStream = new InflaterOutputStream(out, new Inflater(true));
|
||||
inflaterOutputStream.write(b);
|
||||
inflaterOutputStream.finish();
|
||||
return new String(out.toByteArray(), StandardCharsets.UTF_8);
|
||||
}
|
||||
catch (IOException ex) {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user