Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-26 13:53:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Check for Null Issuer

Browse Source 
Closes gh-16989
This commit is contained in:
Josh Cummings 2025-04-28 11:18:32 -06:00
parent db48d4ca50
commit 5354e4d2c5
No known key found for this signature in database
GPG Key ID: 869B37A20E876129
2 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2024 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -391,7 +391,7 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
String inResponseTo = response.getInResponseTo(); String inResponseTo = response.getInResponseTo();
result = result.concat(validateInResponseTo(token.getAuthenticationRequest(), inResponseTo)); result = result.concat(validateInResponseTo(token.getAuthenticationRequest(), inResponseTo));
String issuer = response.getIssuer().getValue(); String issuer = issuer(response);
String destination = response.getDestination(); String destination = response.getDestination();
String location = token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation(); String location = token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
if (StringUtils.hasText(destination) && !destination.equals(location)) { if (StringUtils.hasText(destination) && !destination.equals(location)) {
@ -414,6 +414,13 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
}; };
} }
private static String issuer(Response response) {
if (response.getIssuer() == null) {
return null;
}
return response.getIssuer().getValue();
}
private static List<String> getStatusCodes(Response response) { private static List<String> getStatusCodes(Response response) {
if (response.getStatus() == null) { if (response.getStatus() == null) {
return List.of(StatusCode.SUCCESS); return List.of(StatusCode.SUCCESS);
@ -576,7 +583,7 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
} }
private void process(Saml2AuthenticationToken token, Response response) { private void process(Saml2AuthenticationToken token, Response response) {
String issuer = response.getIssuer().getValue(); String issuer = issuer(response);
this.logger.debug(LogMessage.format("Processing SAML response from %s", issuer)); this.logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
boolean responseSigned = response.isSigned(); boolean responseSigned = response.isSigned();

11
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2024 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -861,6 +861,15 @@ public class OpenSaml4AuthenticationProviderTests {
provider.authenticate(token); provider.authenticate(token);
} }
// gh-16989
@Test
public void authenticateWhenNullIssuerThenNoNullPointer() {
OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
Response response = TestOpenSamlObjects.signedResponseWithOneAssertion((r) -> r.setIssuer(null));
Saml2AuthenticationToken token = token(response, verifying(registration()));
assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> provider.authenticate(token));
}
private <T extends XMLObject> T build(QName qName) { private <T extends XMLObject> T build(QName qName) {
return (T) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName); return (T) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName);
} }