From 649428b49aae3362e0fcad23a360593b8f02fdef Mon Sep 17 00:00:00 2001 From: Juny Tse Date: Sat, 21 May 2022 23:58:37 +0800 Subject: [PATCH] Use Base64 encoder with no CRLF in output for SAML 2.0 messages Closes gh-11262 --- .../web/configurers/saml2/Saml2LoginConfigurerTests.java | 2 +- .../saml2/provider/service/authentication/Saml2Utils.java | 2 +- .../provider/service/authentication/logout/Saml2Utils.java | 2 +- .../service/web/authentication/logout/Saml2Utils.java | 2 +- .../springframework/security/saml2/core/Saml2Utils.java | 7 +------ .../web/Saml2AuthenticationTokenConverterTests.java | 4 ++-- 6 files changed, 7 insertions(+), 12 deletions(-) diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java index 596f93a250..b37040eff3 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java @@ -253,7 +253,7 @@ public class Saml2LoginConfigurerTests { public void authenticateWithInvalidDeflatedSAMLResponseThenFailureHandlerUses() throws Exception { this.spring.register(CustomAuthenticationFailureHandler.class).autowire(); byte[] invalidDeflated = "invalid".getBytes(); - String encoded = Saml2Utils.samlEncodeNotRfc2045(invalidDeflated); + String encoded = Saml2Utils.samlEncode(invalidDeflated); MockHttpServletRequestBuilder request = get("/login/saml2/sso/registration-id").queryParam("SAMLResponse", encoded); this.mvc.perform(request); diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Utils.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Utils.java index 3ca272ac34..1d1012f702 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Utils.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Utils.java @@ -36,7 +36,7 @@ final class Saml2Utils { } static String samlEncode(byte[] b) { - return Base64.getMimeEncoder().encodeToString(b); + return Base64.getEncoder().encodeToString(b); } static byte[] samlDecode(String s) { diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/Saml2Utils.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/Saml2Utils.java index 912d1983e3..3f1c9e0026 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/Saml2Utils.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/Saml2Utils.java @@ -40,7 +40,7 @@ final class Saml2Utils { } static String samlEncode(byte[] b) { - return Base64.getMimeEncoder().encodeToString(b); + return Base64.getEncoder().encodeToString(b); } static byte[] samlDecode(String s) { diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2Utils.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2Utils.java index d1436696ee..95046bc3a1 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2Utils.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2Utils.java @@ -40,7 +40,7 @@ final class Saml2Utils { } static String samlEncode(byte[] b) { - return Base64.getMimeEncoder().encodeToString(b); + return Base64.getEncoder().encodeToString(b); } static byte[] samlDecode(String s) { diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/Saml2Utils.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/Saml2Utils.java index 031878b2b1..39f4b162fc 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/Saml2Utils.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/core/Saml2Utils.java @@ -32,13 +32,8 @@ public final class Saml2Utils { private Saml2Utils() { } - @Deprecated - public static String samlEncodeNotRfc2045(byte[] b) { - return Base64.getEncoder().encodeToString(b); - } - public static String samlEncode(byte[] b) { - return Base64.getMimeEncoder().encodeToString(b); + return Base64.getEncoder().encodeToString(b); } public static byte[] samlDecode(String s) { diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverterTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverterTests.java index cc33b499fc..02b4692961 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverterTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverterTests.java @@ -64,7 +64,7 @@ public class Saml2AuthenticationTokenConverterTests { .willReturn(this.relyingPartyRegistration); MockHttpServletRequest request = new MockHttpServletRequest(); request.setParameter(Saml2ParameterNames.SAML_RESPONSE, - Saml2Utils.samlEncodeNotRfc2045("response".getBytes(StandardCharsets.UTF_8))); + Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8))); Saml2AuthenticationToken token = converter.convert(request); assertThat(token.getSaml2Response()).isEqualTo("response"); assertThat(token.getRelyingPartyRegistration().getRegistrationId()) @@ -115,7 +115,7 @@ public class Saml2AuthenticationTokenConverterTests { MockHttpServletRequest request = new MockHttpServletRequest(); request.setMethod("GET"); byte[] deflated = Saml2Utils.samlDeflate("response"); - String encoded = Saml2Utils.samlEncodeNotRfc2045(deflated); + String encoded = Saml2Utils.samlEncode(deflated); request.setParameter(Saml2ParameterNames.SAML_RESPONSE, encoded); Saml2AuthenticationToken token = converter.convert(request); assertThat(token.getSaml2Response()).isEqualTo("response");