diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java index 1f68a728d2..a7aaf14f90 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java @@ -52,6 +52,7 @@ import org.springframework.security.web.util.matcher.NegatedRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.security.web.util.matcher.RequestMatchers; import org.springframework.util.Assert; import org.springframework.util.StringUtils; @@ -114,7 +115,9 @@ public final class Saml2LoginConfigurer> private Saml2AuthenticationRequestResolver authenticationRequestResolver; - private String loginProcessingUrl = Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI; + private RequestMatcher loginProcessingUrl = RequestMatchers.anyOf( + new AntPathRequestMatcher(Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI), + new AntPathRequestMatcher("/login/saml2/sso")); private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository; @@ -214,7 +217,7 @@ public final class Saml2LoginConfigurer> @Override public Saml2LoginConfigurer loginProcessingUrl(String loginProcessingUrl) { Assert.hasText(loginProcessingUrl, "loginProcessingUrl cannot be empty"); - this.loginProcessingUrl = loginProcessingUrl; + this.loginProcessingUrl = new AntPathRequestMatcher(loginProcessingUrl); return this; } @@ -240,12 +243,11 @@ public final class Saml2LoginConfigurer> public void init(B http) throws Exception { registerDefaultCsrfOverride(http); relyingPartyRegistrationRepository(http); - this.saml2WebSsoAuthenticationFilter = new Saml2WebSsoAuthenticationFilter(getAuthenticationConverter(http), - this.loginProcessingUrl); + this.saml2WebSsoAuthenticationFilter = new Saml2WebSsoAuthenticationFilter(getAuthenticationConverter(http)); this.saml2WebSsoAuthenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); + this.saml2WebSsoAuthenticationFilter.setRequiresAuthenticationRequestMatcher(this.loginProcessingUrl); setAuthenticationRequestRepository(http, this.saml2WebSsoAuthenticationFilter); setAuthenticationFilter(this.saml2WebSsoAuthenticationFilter); - super.loginProcessingUrl(this.loginProcessingUrl); if (StringUtils.hasText(this.loginPage)) { // Set custom login page super.loginPage(this.loginPage); @@ -352,7 +354,7 @@ public final class Saml2LoginConfigurer> OpenSamlAuthenticationTokenConverter converter = new OpenSamlAuthenticationTokenConverter( this.relyingPartyRegistrationRepository); converter.setAuthenticationRequestRepository(getAuthenticationRequestRepository(http)); - converter.setRequestMatcher(createLoginProcessingUrlMatcher(this.loginProcessingUrl)); + converter.setRequestMatcher(this.loginProcessingUrl); return converter; } return authenticationConverterBean; @@ -367,7 +369,7 @@ public final class Saml2LoginConfigurer> if (csrf == null) { return; } - csrf.ignoringRequestMatchers(new AntPathRequestMatcher(this.loginProcessingUrl)); + csrf.ignoringRequestMatchers(this.loginProcessingUrl); } private void initDefaultLoginFilter(B http) { diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/Saml2WebSsoAuthenticationFilter.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/Saml2WebSsoAuthenticationFilter.java index 8fd2de183d..a6c969563b 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/Saml2WebSsoAuthenticationFilter.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/Saml2WebSsoAuthenticationFilter.java @@ -35,6 +35,9 @@ import org.springframework.security.saml2.provider.service.web.Saml2Authenticati import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; +import org.springframework.security.web.util.matcher.OrRequestMatcher; +import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; /** @@ -44,6 +47,10 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce public static final String DEFAULT_FILTER_PROCESSES_URI = "/login/saml2/sso/{registrationId}"; + private static final RequestMatcher DEFAULT_REQUEST_MATCHER = new OrRequestMatcher( + new AntPathRequestMatcher(DEFAULT_FILTER_PROCESSES_URI), + new AntPathRequestMatcher("/login/saml2/sso")); + private final AuthenticationConverter authenticationConverter; private Saml2AuthenticationRequestRepository authenticationRequestRepository = new HttpSessionSaml2AuthenticationRequestRepository(); @@ -75,6 +82,21 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce "filterProcessesUrl must contain a {registrationId} match variable"); } + /** + * Creates a {@link Saml2WebSsoAuthenticationFilter} that is configured to use the + * {@link #DEFAULT_FILTER_PROCESSES_URI} processing URL + * @param authenticationConverter the strategy for converting an + * {@link HttpServletRequest} into an {@link Authentication} + * @since 6.2 + */ + public Saml2WebSsoAuthenticationFilter(AuthenticationConverter authenticationConverter) { + super(DEFAULT_REQUEST_MATCHER); + Assert.notNull(authenticationConverter, "authenticationConverter cannot be null"); + this.authenticationConverter = authenticationConverter; + setAllowSessionCreation(true); + setSessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy()); + } + /** * Creates a {@link Saml2WebSsoAuthenticationFilter} given the provided parameters * @param authenticationConverter the strategy for converting an