Add CSRF Exception

Issue gh-13653

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -52,6 +52,7 @@ import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatchers;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
@@ -114,7 +115,9 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 
 	private Saml2AuthenticationRequestResolver authenticationRequestResolver;
 
-	private String loginProcessingUrl = Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI;
+	private RequestMatcher loginProcessingUrl = RequestMatchers.anyOf(
+			new AntPathRequestMatcher(Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI),
+			new AntPathRequestMatcher("/login/saml2/sso"));
 
 	private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
 
@@ -214,7 +217,7 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	@Override
 	public Saml2LoginConfigurer<B> loginProcessingUrl(String loginProcessingUrl) {
 		Assert.hasText(loginProcessingUrl, "loginProcessingUrl cannot be empty");
-		this.loginProcessingUrl = loginProcessingUrl;
+		this.loginProcessingUrl = new AntPathRequestMatcher(loginProcessingUrl);
 		return this;
 	}
 
@@ -240,12 +243,11 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	public void init(B http) throws Exception {
 		registerDefaultCsrfOverride(http);
 		relyingPartyRegistrationRepository(http);
-		this.saml2WebSsoAuthenticationFilter = new Saml2WebSsoAuthenticationFilter(getAuthenticationConverter(http),
+		this.saml2WebSsoAuthenticationFilter = new Saml2WebSsoAuthenticationFilter(getAuthenticationConverter(http));
-				this.loginProcessingUrl);
 		this.saml2WebSsoAuthenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
+		this.saml2WebSsoAuthenticationFilter.setRequiresAuthenticationRequestMatcher(this.loginProcessingUrl);
 		setAuthenticationRequestRepository(http, this.saml2WebSsoAuthenticationFilter);
 		setAuthenticationFilter(this.saml2WebSsoAuthenticationFilter);
-		super.loginProcessingUrl(this.loginProcessingUrl);
 		if (StringUtils.hasText(this.loginPage)) {
 			// Set custom login page
 			super.loginPage(this.loginPage);
@@ -352,7 +354,7 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 			OpenSamlAuthenticationTokenConverter converter = new OpenSamlAuthenticationTokenConverter(
 					this.relyingPartyRegistrationRepository);
 			converter.setAuthenticationRequestRepository(getAuthenticationRequestRepository(http));
-			converter.setRequestMatcher(createLoginProcessingUrlMatcher(this.loginProcessingUrl));
+			converter.setRequestMatcher(this.loginProcessingUrl);
 			return converter;
 		}
 		return authenticationConverterBean;
@@ -367,7 +369,7 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		if (csrf == null) {
 			return;
 		}
-		csrf.ignoringRequestMatchers(new AntPathRequestMatcher(this.loginProcessingUrl));
+		csrf.ignoringRequestMatchers(this.loginProcessingUrl);
 	}
 
 	private void initDefaultLoginFilter(B http) {

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/Saml2WebSsoAuthenticationFilter.java

@@ -35,6 +35,9 @@ import org.springframework.security.saml2.provider.service.web.Saml2Authenticati
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
 /**
@@ -44,6 +47,10 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce
 
 	public static final String DEFAULT_FILTER_PROCESSES_URI = "/login/saml2/sso/{registrationId}";
 
+	private static final RequestMatcher DEFAULT_REQUEST_MATCHER = new OrRequestMatcher(
+			new AntPathRequestMatcher(DEFAULT_FILTER_PROCESSES_URI),
+			new AntPathRequestMatcher("/login/saml2/sso"));
+
 	private final AuthenticationConverter authenticationConverter;
 
 	private Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> authenticationRequestRepository = new HttpSessionSaml2AuthenticationRequestRepository();
@@ -75,6 +82,21 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce
 				"filterProcessesUrl must contain a {registrationId} match variable");
 	}
 
+	/**
+	 * Creates a {@link Saml2WebSsoAuthenticationFilter} that is configured to use the
+	 * {@link #DEFAULT_FILTER_PROCESSES_URI} processing URL
+	 * @param authenticationConverter the strategy for converting an
+	 * {@link HttpServletRequest} into an {@link Authentication}
+	 * @since 6.2
+	 */
+	public Saml2WebSsoAuthenticationFilter(AuthenticationConverter authenticationConverter) {
+		super(DEFAULT_REQUEST_MATCHER);
+		Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
+		this.authenticationConverter = authenticationConverter;
+		setAllowSessionCreation(true);
+		setSessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy());
+	}
+
 	/**
 	 * Creates a {@link Saml2WebSsoAuthenticationFilter} given the provided parameters
 	 * @param authenticationConverter the strategy for converting an