From d5c953b10603202d44c4c9c03a544c14a630213d Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Tue, 27 Jul 2021 14:53:14 -0600 Subject: [PATCH] Polish Saml2AuthenticationRequestRepository - Moved docs into AuthnRequest section, changed links to be more semantically valuable to search engines - Moved tests to be nearer to similar tests Issue gh-9185 --- .../_includes/servlet/saml2/saml2-login.adoc | 61 ++++++++++--------- .../Saml2WebSsoAuthenticationFilterTests.java | 9 ++- ...aml2AuthenticationTokenConverterTests.java | 18 ++++-- 3 files changed, 48 insertions(+), 40 deletions(-) diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc index bcab469f59..2a95f546bc 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc @@ -865,6 +865,37 @@ For example, if you were deployed to `https://rp.example.com` and you gave your and the result would be a redirect that included a `SAMLRequest` parameter containing the signed, deflated, and encoded ``. +[[servlet-saml2login-store-authn-request]] +==== Changing How the `` Gets Stored + +`Saml2WebSsoAuthenticationRequestFilter` uses an `Saml2AuthenticationRequestRepository` to persist an `AbstractSaml2AuthenticationRequest` instance before <`>> to the asserting party. + +Additionally, `Saml2WebSsoAuthenticationFilter` and `Saml2AuthenticationTokenConverter` use an `Saml2AuthenticationRequestRepository` to load any `AbstractSaml2AuthenticationRequest` as part of <`>>. + +By default, Spring Security uses an `HttpSessionSaml2AuthenticationRequestRepository`, which stores the `AbstractSaml2AuthenticationRequest` in the `HttpSession`. + +If you have a custom implementation of `Saml2AuthenticationRequestRepository`, you may configure it by exposing it as a `@Bean` as shown in the following example: + +==== +.Java +[source,java,role="primary"] +---- +@Bean +Saml2AuthenticationRequestRepository authenticationRequestRepository() { + return new CustomSaml2AuthenticationRequestRepository(); +} +---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +open fun authenticationRequestRepository(): Saml2AuthenticationRequestRepository { + return CustomSaml2AuthenticationRequestRepository() +} +---- +==== + [[servlet-saml2login-sp-initiated-factory-signing]] ==== Changing How the `` Gets Sent @@ -1610,33 +1641,3 @@ http { The success handler will send logout requests to the asserting party. The request matcher will detect logout requests from the asserting party. - -[[servlet-saml2login-store-authn-request]] -=== Storing the `AuthnRequest` - -The `Saml2AuthenticationRequestRepository` is responsible for the persistence of the `AuthnRequest` from the time the `AuthnRequest` <> to the time the `SAMLResponse` <>. -The `Saml2AuthenticationTokenConverter` is responsible for loading the `AuthnRequest` from the `Saml2AuthenticationRequestRepository` and saving it into the `Saml2AuthenticationToken`. - -The default implementation of `Saml2AuthenticationRequestRepository` is `HttpSessionSaml2AuthenticationRequestRepository`, which stores the `AuthnRequest` in the `HttpSession`. - -If you have a custom implementation of `Saml2AuthenticationRequestRepository`, you may configure it by exposing it as a `@Bean` as shown in the following example: - -==== -.Java -[source,java,role="primary"] ----- -@Bean -Saml2AuthenticationRequestRepository authenticationRequestRepository() { - return new CustomSaml2AuthenticationRequestRepository(); -} ----- - -.Kotlin -[source,kotlin,role="secondary"] ----- -@Bean -open fun authenticationRequestRepository(): Saml2AuthenticationRequestRepository { - return CustomSaml2AuthenticationRequestRepository() -} ----- -==== diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilterTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilterTests.java index ffece463e1..11b07fd2fc 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilterTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilterTests.java @@ -114,17 +114,16 @@ public class Saml2WebSsoAuthenticationFilterTests { @Test public void setAuthenticationRequestRepositoryWhenExpectedAuthenticationConverterTypeThenSetLoaderIntoConverter() { - Saml2AuthenticationTokenConverter authenticationConverterMock = mock(Saml2AuthenticationTokenConverter.class); + Saml2AuthenticationTokenConverter authenticationConverter = mock(Saml2AuthenticationTokenConverter.class); Saml2AuthenticationRequestRepository authenticationRequestRepository = mock( Saml2AuthenticationRequestRepository.class); - this.filter = new Saml2WebSsoAuthenticationFilter(authenticationConverterMock, - "/some/other/path/{registrationId}"); + this.filter = new Saml2WebSsoAuthenticationFilter(authenticationConverter, "/some/other/path/{registrationId}"); this.filter.setAuthenticationRequestRepository(authenticationRequestRepository); - verify(authenticationConverterMock).setAuthenticationRequestRepository(authenticationRequestRepository); + verify(authenticationConverter).setAuthenticationRequestRepository(authenticationRequestRepository); } @Test - public void setAuthenticationRequestRepositoryWhenNotExpectedAuthenticationConverterTypeThenDontSet() { + public void setAuthenticationRequestRepositoryWhenNotExpectedAuthenticationConverterTypeThenDoNotSet() { AuthenticationConverter authenticationConverter = mock(AuthenticationConverter.class); Saml2AuthenticationRequestRepository authenticationRequestRepository = mock( Saml2AuthenticationRequestRepository.class); diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverterTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverterTests.java index ecd69f7dea..e922dcc699 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverterTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverterTests.java @@ -141,11 +141,6 @@ public class Saml2AuthenticationTokenConverterTests { (ex) -> assertThat(ex.getSaml2Error().getDescription()).isEqualTo("Unable to inflate string")); } - @Test - public void constructorWhenResolverIsNullThenIllegalArgument() { - assertThatIllegalArgumentException().isThrownBy(() -> new Saml2AuthenticationTokenConverter(null)); - } - @Test public void convertWhenUsingSamlUtilsBase64ThenXmlIsValid() throws Exception { Saml2AuthenticationTokenConverter converter = new Saml2AuthenticationTokenConverter( @@ -179,6 +174,19 @@ public class Saml2AuthenticationTokenConverterTests { assertThat(token.getAuthenticationRequest()).isEqualTo(authenticationRequest); } + @Test + public void constructorWhenResolverIsNullThenIllegalArgument() { + assertThatIllegalArgumentException().isThrownBy(() -> new Saml2AuthenticationTokenConverter(null)); + } + + @Test + public void setAuthenticationRequestRepositoryWhenNullThenIllegalArgument() { + Saml2AuthenticationTokenConverter converter = new Saml2AuthenticationTokenConverter( + this.relyingPartyRegistrationResolver); + assertThatExceptionOfType(IllegalArgumentException.class) + .isThrownBy(() -> converter.setAuthenticationRequestRepository(null)); + } + private void validateSsoCircleXml(String xml) { assertThat(xml).contains("InResponseTo=\"ARQ9a73ead-7dcf-45a8-89eb-26f3c9900c36\"") .contains(" ID=\"s246d157446618e90e43fb79bdd4d9e9e19cf2c7c4\"")