From b451ede189ca73dc4edcf4cf7d0e5a6530642679 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Wed, 16 Feb 2022 15:12:17 -0700 Subject: [PATCH] Add Skipping Decryption Error Message Closes gh-10220 --- .../authentication/OpenSaml4AuthenticationProvider.java | 4 ++++ .../authentication/OpenSaml4AuthenticationProviderTests.java | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java b/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java index afc61af57e..51d9dc1abb 100644 --- a/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java +++ b/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java @@ -491,6 +491,10 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv if (responseSigned) { this.responseElementsDecrypter.accept(responseToken); } + else if (!response.getEncryptedAssertions().isEmpty()) { + result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, + "Did not decrypt response [" + response.getID() + "] since it is not signed")); + } result = result.concat(this.responseValidator.convert(responseToken)); boolean allAssertionsSigned = true; for (Assertion assertion : response.getAssertions()) { diff --git a/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java b/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java index c0b5247fe9..ed3ad288f7 100644 --- a/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java +++ b/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java @@ -280,7 +280,7 @@ public class OpenSaml4AuthenticationProviderTests { Saml2AuthenticationToken token = token(response, decrypting(verifying(registration()))); assertThatExceptionOfType(Saml2AuthenticationException.class) .isThrownBy(() -> this.provider.authenticate(token)) - .satisfies(errorOf(Saml2ErrorCodes.MALFORMED_RESPONSE_DATA)); + .satisfies(errorOf(Saml2ErrorCodes.INVALID_SIGNATURE, "Did not decrypt response")); } @Test