Add SecurityContextHolderStrategy XML Configuration for Saml2
Issue gh-11061
This commit is contained in:
parent
19181a5afd
commit
7e3841105b
|
@ -239,7 +239,7 @@ final class AuthenticationConfigBuilder {
|
||||||
createX509Filter(authenticationManager, authenticationFilterSecurityContextHolderStrategyRef);
|
createX509Filter(authenticationManager, authenticationFilterSecurityContextHolderStrategyRef);
|
||||||
createJeeFilter(authenticationManager, authenticationFilterSecurityContextHolderStrategyRef);
|
createJeeFilter(authenticationManager, authenticationFilterSecurityContextHolderStrategyRef);
|
||||||
createLogoutFilter(authenticationFilterSecurityContextHolderStrategyRef);
|
createLogoutFilter(authenticationFilterSecurityContextHolderStrategyRef);
|
||||||
createSaml2LogoutFilter();
|
createSaml2LogoutFilter(authenticationFilterSecurityContextHolderStrategyRef);
|
||||||
createLoginPageFilterIfNeeded();
|
createLoginPageFilterIfNeeded();
|
||||||
createUserDetailsServiceFactory();
|
createUserDetailsServiceFactory();
|
||||||
createExceptionTranslationFilter(authenticationFilterSecurityContextHolderStrategyRef);
|
createExceptionTranslationFilter(authenticationFilterSecurityContextHolderStrategyRef);
|
||||||
|
@ -635,13 +635,13 @@ final class AuthenticationConfigBuilder {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void createSaml2LogoutFilter() {
|
private void createSaml2LogoutFilter(BeanMetadataElement authenticationFilterSecurityContextHolderStrategyRef) {
|
||||||
Element saml2LogoutElt = DomUtils.getChildElementByTagName(this.httpElt, Elements.SAML2_LOGOUT);
|
Element saml2LogoutElt = DomUtils.getChildElementByTagName(this.httpElt, Elements.SAML2_LOGOUT);
|
||||||
if (saml2LogoutElt == null) {
|
if (saml2LogoutElt == null) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
Saml2LogoutBeanDefinitionParser parser = new Saml2LogoutBeanDefinitionParser(this.logoutHandlers,
|
Saml2LogoutBeanDefinitionParser parser = new Saml2LogoutBeanDefinitionParser(this.logoutHandlers,
|
||||||
this.logoutSuccessHandler);
|
this.logoutSuccessHandler, authenticationFilterSecurityContextHolderStrategyRef);
|
||||||
parser.parse(saml2LogoutElt, this.pc);
|
parser.parse(saml2LogoutElt, this.pc);
|
||||||
BeanDefinition saml2LogoutFilter = parser.getLogoutFilter();
|
BeanDefinition saml2LogoutFilter = parser.getLogoutFilter();
|
||||||
BeanDefinition saml2LogoutRequestFilter = parser.getLogoutRequestFilter();
|
BeanDefinition saml2LogoutRequestFilter = parser.getLogoutRequestFilter();
|
||||||
|
|
|
@ -77,10 +77,14 @@ final class Saml2LogoutBeanDefinitionParser implements BeanDefinitionParser {
|
||||||
|
|
||||||
private BeanDefinition logoutFilter;
|
private BeanDefinition logoutFilter;
|
||||||
|
|
||||||
|
private BeanMetadataElement authenticationFilterSecurityContextHolderStrategy;
|
||||||
|
|
||||||
Saml2LogoutBeanDefinitionParser(ManagedList<BeanMetadataElement> logoutHandlers,
|
Saml2LogoutBeanDefinitionParser(ManagedList<BeanMetadataElement> logoutHandlers,
|
||||||
BeanMetadataElement logoutSuccessHandler) {
|
BeanMetadataElement logoutSuccessHandler,
|
||||||
|
BeanMetadataElement authenticationFilterSecurityContextHolderStrategy) {
|
||||||
this.logoutHandlers = logoutHandlers;
|
this.logoutHandlers = logoutHandlers;
|
||||||
this.logoutSuccessHandler = logoutSuccessHandler;
|
this.logoutSuccessHandler = logoutSuccessHandler;
|
||||||
|
this.authenticationFilterSecurityContextHolderStrategy = authenticationFilterSecurityContextHolderStrategy;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -119,7 +123,10 @@ final class Saml2LogoutBeanDefinitionParser implements BeanDefinitionParser {
|
||||||
this.logoutRequestFilter = BeanDefinitionBuilder.rootBeanDefinition(Saml2LogoutRequestFilter.class)
|
this.logoutRequestFilter = BeanDefinitionBuilder.rootBeanDefinition(Saml2LogoutRequestFilter.class)
|
||||||
.addConstructorArgValue(registrations).addConstructorArgValue(logoutRequestValidator)
|
.addConstructorArgValue(registrations).addConstructorArgValue(logoutRequestValidator)
|
||||||
.addConstructorArgValue(logoutResponseResolver).addConstructorArgValue(this.logoutHandlers)
|
.addConstructorArgValue(logoutResponseResolver).addConstructorArgValue(this.logoutHandlers)
|
||||||
.addPropertyValue("logoutRequestMatcher", logoutRequestMatcher).getBeanDefinition();
|
.addPropertyValue("logoutRequestMatcher", logoutRequestMatcher)
|
||||||
|
.addPropertyValue("securityContextHolderStrategy",
|
||||||
|
this.authenticationFilterSecurityContextHolderStrategy)
|
||||||
|
.getBeanDefinition();
|
||||||
BeanMetadataElement logoutResponseValidator = Saml2LogoutBeanDefinitionParserUtils
|
BeanMetadataElement logoutResponseValidator = Saml2LogoutBeanDefinitionParserUtils
|
||||||
.getLogoutResponseValidator(element);
|
.getLogoutResponseValidator(element);
|
||||||
BeanMetadataElement logoutRequestRepository = Saml2LogoutBeanDefinitionParserUtils
|
BeanMetadataElement logoutRequestRepository = Saml2LogoutBeanDefinitionParserUtils
|
||||||
|
|
|
@ -32,6 +32,7 @@ import org.springframework.security.config.test.SpringTestContext;
|
||||||
import org.springframework.security.config.test.SpringTestContextExtension;
|
import org.springframework.security.config.test.SpringTestContextExtension;
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
import org.springframework.security.core.AuthenticationException;
|
import org.springframework.security.core.AuthenticationException;
|
||||||
|
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||||
import org.springframework.security.saml2.core.Saml2Utils;
|
import org.springframework.security.saml2.core.Saml2Utils;
|
||||||
import org.springframework.security.saml2.core.TestSaml2X509Credentials;
|
import org.springframework.security.saml2.core.TestSaml2X509Credentials;
|
||||||
|
@ -61,6 +62,7 @@ import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||||
import static org.mockito.ArgumentMatchers.any;
|
import static org.mockito.ArgumentMatchers.any;
|
||||||
import static org.mockito.ArgumentMatchers.anyString;
|
import static org.mockito.ArgumentMatchers.anyString;
|
||||||
import static org.mockito.BDDMockito.given;
|
import static org.mockito.BDDMockito.given;
|
||||||
|
import static org.mockito.Mockito.atLeastOnce;
|
||||||
import static org.mockito.Mockito.mock;
|
import static org.mockito.Mockito.mock;
|
||||||
import static org.mockito.Mockito.verify;
|
import static org.mockito.Mockito.verify;
|
||||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||||
|
@ -178,6 +180,23 @@ public class Saml2LoginBeanDefinitionParserTests {
|
||||||
assertThat(authentication.getPrincipal()).isInstanceOf(Saml2AuthenticatedPrincipal.class);
|
assertThat(authentication.getPrincipal()).isInstanceOf(Saml2AuthenticatedPrincipal.class);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void authenticateWhenCustomSecurityContextHolderStrategyThenUses() throws Exception {
|
||||||
|
this.spring.configLocations(this.xml("WithCustomSecurityContextHolderStrategy")).autowire();
|
||||||
|
RelyingPartyRegistration relyingPartyRegistration = relyingPartyRegistrationWithVerifyingCredential();
|
||||||
|
// @formatter:off
|
||||||
|
this.mvc.perform(post("/login/saml2/sso/" + relyingPartyRegistration.getRegistrationId()).param(Saml2ParameterNames.SAML_RESPONSE, SIGNED_RESPONSE))
|
||||||
|
.andDo(MockMvcResultHandlers.print())
|
||||||
|
.andExpect(status().is2xxSuccessful());
|
||||||
|
// @formatter:on
|
||||||
|
ArgumentCaptor<Authentication> authenticationCaptor = ArgumentCaptor.forClass(Authentication.class);
|
||||||
|
verify(this.authenticationSuccessHandler).onAuthenticationSuccess(any(), any(), authenticationCaptor.capture());
|
||||||
|
Authentication authentication = authenticationCaptor.getValue();
|
||||||
|
assertThat(authentication.getPrincipal()).isInstanceOf(Saml2AuthenticatedPrincipal.class);
|
||||||
|
SecurityContextHolderStrategy strategy = this.spring.getContext().getBean(SecurityContextHolderStrategy.class);
|
||||||
|
verify(strategy, atLeastOnce()).getContext();
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void authenticateWhenAuthenticationResponseValidThenAuthenticationSuccessEventPublished() throws Exception {
|
public void authenticateWhenAuthenticationResponseValidThenAuthenticationSuccessEventPublished() throws Exception {
|
||||||
this.spring.configLocations(this.xml("WithCustomRelyingPartyRepository")).autowire();
|
this.spring.configLocations(this.xml("WithCustomRelyingPartyRepository")).autowire();
|
||||||
|
|
|
@ -35,6 +35,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||||
import org.springframework.security.config.test.SpringTestContext;
|
import org.springframework.security.config.test.SpringTestContext;
|
||||||
import org.springframework.security.config.test.SpringTestContextExtension;
|
import org.springframework.security.config.test.SpringTestContextExtension;
|
||||||
import org.springframework.security.core.authority.AuthorityUtils;
|
import org.springframework.security.core.authority.AuthorityUtils;
|
||||||
|
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||||
import org.springframework.security.saml2.core.Saml2Utils;
|
import org.springframework.security.saml2.core.Saml2Utils;
|
||||||
import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
|
import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
|
||||||
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
|
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
|
||||||
|
@ -63,6 +64,7 @@ import static org.assertj.core.api.Assertions.assertThat;
|
||||||
import static org.hamcrest.Matchers.containsString;
|
import static org.hamcrest.Matchers.containsString;
|
||||||
import static org.mockito.ArgumentMatchers.any;
|
import static org.mockito.ArgumentMatchers.any;
|
||||||
import static org.mockito.BDDMockito.given;
|
import static org.mockito.BDDMockito.given;
|
||||||
|
import static org.mockito.Mockito.atLeastOnce;
|
||||||
import static org.mockito.Mockito.verify;
|
import static org.mockito.Mockito.verify;
|
||||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
|
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
|
||||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
||||||
|
@ -233,6 +235,23 @@ public class Saml2LogoutBeanDefinitionParserTests {
|
||||||
assertThat(location).startsWith("https://ap.example.org/logout/saml2/response");
|
assertThat(location).startsWith("https://ap.example.org/logout/saml2/response");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void saml2LogoutRequestWhenCustomSecurityContextHolderStrategyThenUses() throws Exception {
|
||||||
|
this.spring.configLocations(this.xml("WithSecurityContextHolderStrategy")).autowire();
|
||||||
|
DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal("user",
|
||||||
|
Collections.emptyMap());
|
||||||
|
principal.setRelyingPartyRegistrationId("get");
|
||||||
|
Saml2Authentication user = new Saml2Authentication(principal, "response",
|
||||||
|
AuthorityUtils.createAuthorityList("ROLE_USER"));
|
||||||
|
MvcResult result = this.mvc.perform(get("/logout/saml2/slo").param("SAMLRequest", this.apLogoutRequest)
|
||||||
|
.param("RelayState", this.apLogoutRequestRelayState).param("SigAlg", this.apLogoutRequestSigAlg)
|
||||||
|
.param("Signature", this.apLogoutRequestSignature).with(samlQueryString()).with(authentication(user)))
|
||||||
|
.andExpect(status().isFound()).andReturn();
|
||||||
|
String location = result.getResponse().getHeader("Location");
|
||||||
|
assertThat(location).startsWith("https://ap.example.org/logout/saml2/response");
|
||||||
|
verify(getBean(SecurityContextHolderStrategy.class), atLeastOnce()).getContext();
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void saml2LogoutRequestWhenNoRegistrationThen400() throws Exception {
|
public void saml2LogoutRequestWhenNoRegistrationThen400() throws Exception {
|
||||||
this.spring.configLocations(this.xml("Default")).autowire();
|
this.spring.configLocations(this.xml("Default")).autowire();
|
||||||
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!--
|
||||||
|
~ Copyright 2002-2021 the original author or authors.
|
||||||
|
~
|
||||||
|
~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
~ you may not use this file except in compliance with the License.
|
||||||
|
~ You may obtain a copy of the License at
|
||||||
|
~
|
||||||
|
~ https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
~
|
||||||
|
~ Unless required by applicable law or agreed to in writing, software
|
||||||
|
~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
~ See the License for the specific language governing permissions and
|
||||||
|
~ limitations under the License.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xmlns="http://www.springframework.org/schema/security"
|
||||||
|
xsi:schemaLocation="
|
||||||
|
http://www.springframework.org/schema/security
|
||||||
|
https://www.springframework.org/schema/security/spring-security.xsd
|
||||||
|
http://www.springframework.org/schema/beans
|
||||||
|
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||||
|
|
||||||
|
<http auto-config="true" security-context-holder-strategy-ref="ref">
|
||||||
|
<intercept-url pattern="/**" access="authenticated"/>
|
||||||
|
<saml2-login authentication-success-handler-ref="authenticationSuccessHandler" relying-party-registration-repository-ref="relyingPartyRegistrationRepository"/>
|
||||||
|
</http>
|
||||||
|
|
||||||
|
<b:bean id="ref" class="org.mockito.Mockito" factory-method="spy">
|
||||||
|
<b:constructor-arg>
|
||||||
|
<b:bean class="org.springframework.security.config.MockSecurityContextHolderStrategy"/>
|
||||||
|
</b:constructor-arg>
|
||||||
|
</b:bean>
|
||||||
|
|
||||||
|
<b:bean id="authenticationSuccessListener" class="org.mockito.Mockito" factory-method="mock">
|
||||||
|
<b:constructor-arg value="org.springframework.context.ApplicationListener"/>
|
||||||
|
</b:bean>
|
||||||
|
<b:bean id="authenticationSuccessHandler" class="org.mockito.Mockito" factory-method="mock">
|
||||||
|
<b:constructor-arg value="org.springframework.security.web.authentication.AuthenticationSuccessHandler"/>
|
||||||
|
</b:bean>
|
||||||
|
<b:bean id="relyingPartyRegistrationRepository" class="org.mockito.Mockito" factory-method="mock">
|
||||||
|
<b:constructor-arg value="org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository"/>
|
||||||
|
</b:bean>
|
||||||
|
|
||||||
|
<b:import resource="userservice.xml"/>
|
||||||
|
</b:beans>
|
|
@ -0,0 +1,41 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!--
|
||||||
|
~ Copyright 2002-2022 the original author or authors.
|
||||||
|
~
|
||||||
|
~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
~ you may not use this file except in compliance with the License.
|
||||||
|
~ You may obtain a copy of the License at
|
||||||
|
~
|
||||||
|
~ https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
~
|
||||||
|
~ Unless required by applicable law or agreed to in writing, software
|
||||||
|
~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
~ See the License for the specific language governing permissions and
|
||||||
|
~ limitations under the License.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xmlns="http://www.springframework.org/schema/security"
|
||||||
|
xsi:schemaLocation="
|
||||||
|
http://www.springframework.org/schema/security
|
||||||
|
https://www.springframework.org/schema/security/spring-security.xsd
|
||||||
|
http://www.springframework.org/schema/beans
|
||||||
|
https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||||
|
|
||||||
|
<http auto-config="true" security-context-holder-strategy-ref="ref">
|
||||||
|
<intercept-url pattern="/**" access="authenticated"/>
|
||||||
|
<saml2-login/>
|
||||||
|
<saml2-logout/>
|
||||||
|
</http>
|
||||||
|
|
||||||
|
<b:bean id="ref" class="org.mockito.Mockito" factory-method="spy">
|
||||||
|
<b:constructor-arg>
|
||||||
|
<b:bean class="org.springframework.security.config.MockSecurityContextHolderStrategy"/>
|
||||||
|
</b:constructor-arg>
|
||||||
|
</b:bean>
|
||||||
|
|
||||||
|
<b:import resource="userservice.xml"/>
|
||||||
|
<b:import resource="../saml2/logout-registrations.xml"/>
|
||||||
|
</b:beans>
|
Loading…
Reference in New Issue