Add OpenSaml4AuthenticationProvider Preparation Steps
Issue gh-11077
This commit is contained in:
Josh Cummings
parent
9a1fae3e8e
commit
6043cee699
|
|
@ -2074,6 +2074,120 @@ val verifying: List<Saml2X509Credential> = registration.getAssertingPartyDetails
|
|||
|
||||
For a complete listing of all changed methods, please see {security-api-url}org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.html[``RelyingPartyRegistration``'s JavaDoc].
|
||||
|
||||
=== Use OpenSAML 4
|
||||
|
||||
OpenSAML 3 has reached its end-of-life.
|
||||
As such, Spring Security 6 drops support for it, bumping up its OpenSAML baseline to 4.
|
||||
|
||||
To prepare for the upgrade, update your pom to depend on OpenSAML 4 instead of 3:
|
||||
|
||||
====
|
||||
.Maven
|
||||
[source,maven,role="primary"]
|
||||
----
|
||||
<dependencyManagement>
|
||||
<dependency>
|
||||
<groupId>org.opensaml</groupId>
|
||||
<artifactId>opensaml-core</artifactId>
|
||||
<version>4.2.1</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.opensaml</groupId>
|
||||
<artifactId>opensaml-saml-api</artifactId>
|
||||
<version>4.2.1</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.opensaml</groupId>
|
||||
<artifactId>opensaml-saml-impl</artifactId>
|
||||
<version>4.2.1</version>
|
||||
</dependency>
|
||||
</dependencyManagement>
|
||||
----
|
||||
|
||||
.Gradle
|
||||
[source,gradle,role="secondary"]
|
||||
----
|
||||
dependencies {
|
||||
constraints {
|
||||
api "org.opensaml:opensaml-core:4.2.1"
|
||||
api "org.opensaml:opensaml-saml-api:4.2.1"
|
||||
api "org.opensaml:opensaml-saml-impl:4.2.1"
|
||||
}
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
You must use at least OpenSAML 4.1.1 to update to Spring Security 6's SAML support.
|
||||
|
||||
=== Use `OpenSaml4AuthenticationProvider`
|
||||
|
||||
In order to support both OpenSAML 3 and 4 at the same time, Spring Security released `OpenSamlAuthenticationProvider` and `OpenSaml4AuthenticationProvider`.
|
||||
In 6.0, because OpenSAML3 support is removed, `OpenSamlAuthenticationProvider` is removed as well.
|
||||
|
||||
Not all methods in `OpenSamlAuthenticationProvider` were ported 1-to-1 to `OpenSaml4AuthenticationProvider`.
|
||||
As such, some adjustment will be required to make the challenge.
|
||||
|
||||
Consider the following representative usage of `OpenSamlAuthenticationProvider`:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
OpenSamlAuthenticationProvider versionThree = new OpenSamlAuthenticationProvider();
|
||||
versionThree.setAuthoritiesExtractor(myAuthoritiesExtractor);
|
||||
versionThree.setResponseTimeValidationSkew(myDuration);
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
val versionThree: OpenSamlAuthenticationProvider = OpenSamlAuthenticationProvider()
|
||||
versionThree.setAuthoritiesExtractor(myAuthoritiesExtractor)
|
||||
versionThree.setResponseTimeValidationSkew(myDuration)
|
||||
----
|
||||
====
|
||||
|
||||
This should change to:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
Converter<ResponseToken, Saml2Authentication> delegate = OpenSaml4AuthenticationProvider
|
||||
.createDefaultResponseAuthenticationConverter();
|
||||
OpenSaml4AuthenticationProvider versionFour = new OpenSaml4AuthenticationProvider();
|
||||
versionFour.setResponseAuthenticationConverter((responseToken) -> {
|
||||
Saml2Authentication authentication = delegate.convert(responseToken);
|
||||
Assertion assertion = responseToken.getResponse().getAssertions().get(0);
|
||||
AuthenticatedPrincipal principal = (AuthenticatedPrincipal) authentication.getPrincipal();
|
||||
Collection<GrantedAuthority> authorities = myAuthoritiesExtractor.convert(assertion);
|
||||
return new Saml2Authentication(principal, authentication.getSaml2Response(), authorities);
|
||||
});
|
||||
Converter<AssertionToken, Saml2ResponseValidationResult> validator = OpenSaml4AuthenticationProvider
|
||||
.createDefaultAssertionValidatorWithParameters((p) -> p.put(CLOCK_SKEW, myDuration));
|
||||
versionFour.setAssertionValidator(validator);
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
val delegate = OpenSaml4AuthenticationProvider.createDefaultResponseAuthenticationConverter()
|
||||
val versionFour = OpenSaml4AuthenticationProvider()
|
||||
versionFour.setResponseAuthenticationConverter({
|
||||
responseToken -> {
|
||||
val authentication = delegate.convert(responseToken)
|
||||
val assertion = responseToken.getResponse().getAssertions().get(0)
|
||||
val principal = (AuthenticatedPrincipal) authentication.getPrincipal()
|
||||
val authorities = myAuthoritiesExtractor.convert(assertion)
|
||||
return Saml2Authentication(principal, authentication.getSaml2Response(), authorities)
|
||||
}
|
||||
})
|
||||
val validator = OpenSaml4AuthenticationProvider
|
||||
.createDefaultAssertionValidatorWithParameters({ p -> p.put(CLOCK_SKEW, myDuration) })
|
||||
versionFour.setAssertionValidator(validator)
|
||||
----
|
||||
====
|
||||
|
||||
== Reactive
|
||||
|
||||
=== Use `AuthorizationManager` for Method Security
|
||||
|
|
|
|||
Loading…
Reference in New Issue