Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch '5.7.x' into 5.8.x

This commit is contained in:
Josh Cummings 2023-06-05 13:18:22 -06:00
parent b47420f8a2 e834543eed
commit df4411fb48
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
2 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/modules/ROOT/pages/servlet/saml2/login/authentication.adoc
View File

@ -96,7 +96,7 @@ relyingPartyRegistrationBuilder.assertionConsumerServiceLocation("/saml2/login/s
== Setting a Clock Skew == Setting a Clock Skew
It's not uncommon for the asserting and relying parties to have system clocks that aren't perfectly synchronized. It's not uncommon for the asserting and relying parties to have system clocks that aren't perfectly synchronized.
For that reason, you can configure `OpenSaml4AuthenticationProvider` 's default assertion validator with some tolerance: For that reason, you can configure ``OpenSaml4AuthenticationProvider``'s default assertion validator with some tolerance:
==== ====
.Java .Java
@ -238,7 +238,7 @@ open class SecurityConfig {
<3> Third, return a custom authentication that includes the user details <3> Third, return a custom authentication that includes the user details
[NOTE] [NOTE]
It's not required to call `OpenSaml4AuthenticationProvider` 's default authentication converter. It's not required to call ``OpenSaml4AuthenticationProvider``'s default authentication converter.
It returns a `Saml2AuthenticatedPrincipal` containing the attributes it extracted from ``AttributeStatement``s as well as the single `ROLE_USER` authority. It returns a `Saml2AuthenticatedPrincipal` containing the attributes it extracted from ``AttributeStatement``s as well as the single `ROLE_USER` authority.
[[servlet-saml2login-opensamlauthenticationprovider-additionalvalidation]] [[servlet-saml2login-opensamlauthenticationprovider-additionalvalidation]]
@ -271,7 +271,7 @@ After verifying the signature, it will:
1. Validate `<AudienceRestriction>` and `<DelegationRestriction>` conditions 1. Validate `<AudienceRestriction>` and `<DelegationRestriction>` conditions
2. Validate ``<SubjectConfirmation>``s, expect for any IP address information 2. Validate ``<SubjectConfirmation>``s, expect for any IP address information
To perform additional validation, you can configure your own assertion validator that delegates to `OpenSaml4AuthenticationProvider` 's default and then performs its own. To perform additional validation, you can configure your own assertion validator that delegates to ``OpenSaml4AuthenticationProvider``'s default and then performs its own.
[[servlet-saml2login-opensamlauthenticationprovider-onetimeuse]] [[servlet-saml2login-opensamlauthenticationprovider-onetimeuse]]
For example, you can use OpenSAML's `OneTimeUseConditionValidator` to also validate a `<OneTimeUse>` condition, like so: For example, you can use OpenSAML's `OneTimeUseConditionValidator` to also validate a `<OneTimeUse>` condition, like so:
@ -325,7 +325,7 @@ provider.setAssertionValidator { assertionToken ->
==== ====
[NOTE] [NOTE]
While recommended, it's not necessary to call `OpenSaml4AuthenticationProvider` 's default assertion validator. While recommended, it's not necessary to call ``OpenSaml4AuthenticationProvider``'s default assertion validator.
A circumstance where you would skip it would be if you don't need it to check the `<AudienceRestriction>` or the `<SubjectConfirmation>` since you are doing those yourself. A circumstance where you would skip it would be if you don't need it to check the `<AudienceRestriction>` or the `<SubjectConfirmation>` since you are doing those yourself.
[[servlet-saml2login-opensamlauthenticationprovider-decryption]] [[servlet-saml2login-opensamlauthenticationprovider-decryption]]
@ -337,7 +337,7 @@ Spring Security decrypts `<saml2:EncryptedAssertion>`, `<saml2:EncryptedAttribut
The response decrypter is for decrypting encrypted elements of the `<saml2:Response>`, like `<saml2:EncryptedAssertion>`. The response decrypter is for decrypting encrypted elements of the `<saml2:Response>`, like `<saml2:EncryptedAssertion>`.
The assertion decrypter is for decrypting encrypted elements of the `<saml2:Assertion>`, like `<saml2:EncryptedAttribute>` and `<saml2:EncryptedID>`. The assertion decrypter is for decrypting encrypted elements of the `<saml2:Assertion>`, like `<saml2:EncryptedAttribute>` and `<saml2:EncryptedID>`.
You can replace `OpenSaml4AuthenticationProvider`'s default decryption strategy with your own. You can replace ``OpenSaml4AuthenticationProvider``'s default decryption strategy with your own.
For example, if you have a separate service that decrypts the assertions in a `<saml2:Response>`, you can use it instead like so: For example, if you have a separate service that decrypts the assertions in a `<saml2:Response>`, you can use it instead like so:
==== ====

2
docs/modules/ROOT/pages/servlet/saml2/login/overview.adoc
View File

@ -283,7 +283,7 @@ There are two ``@Bean``s that Spring Boot generates for a relying party.
The first is a `SecurityFilterChain` that configures the app as a relying party. The first is a `SecurityFilterChain` that configures the app as a relying party.
When including `spring-security-saml2-service-provider`, the `SecurityFilterChain` looks like: When including `spring-security-saml2-service-provider`, the `SecurityFilterChain` looks like:
.Default JWT Configuration .Default SAML 2.0 Login Configuration
==== ====
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]