Add Switch for Processing GET Requests

Issue gh-17099
2025-06-08 05:02:13 +00:00 · 2025-06-03 13:03:21 -06:00 · 2025-06-03 13:03:21 -06:00 · f73f253beb
commit f73f253beb
parent 32c7e8a6ee
3 changed files with 32 additions and 4 deletions
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/BaseOpenSamlAuthenticationTokenConverter.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/BaseOpenSamlAuthenticationTokenConverter.java
@ -51,6 +51,8 @@ final class BaseOpenSamlAuthenticationTokenConverter implements AuthenticationCo

 	private Saml2AuthenticationRequestRepository<?> authenticationRequests = new HttpSessionSaml2AuthenticationRequestRepository();

+	private boolean shouldConvertGetRequests = true;
+
 	/**
 	 * Constructs a {@link BaseOpenSamlAuthenticationTokenConverter} given a repository
 	 * for {@link RelyingPartyRegistration}s
@ -172,13 +174,19 @@ final class BaseOpenSamlAuthenticationTokenConverter implements AuthenticationCo
 		this.requestMatcher = requestMatcher;
 	}

+	void setShouldConvertGetRequests(boolean shouldConvertGetRequests) {
+		this.shouldConvertGetRequests = shouldConvertGetRequests;
+	}
+
 	private String decode(HttpServletRequest request) {
 		String encoded = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
+		boolean isGet = HttpMethod.GET.matches(request.getMethod());
+		if (!this.shouldConvertGetRequests && isGet) {
+			return null;
+		}
+		Saml2Utils.DecodingConfigurer decoding = Saml2Utils.withEncoded(encoded).requireBase64(true).inflate(isGet);
 		try {
-			return Saml2Utils.withEncoded(encoded)
-				.requireBase64(true)
-				.inflate(HttpMethod.GET.matches(request.getMethod()))
-				.decode();
+			return decoding.decode();
 		}
 		catch (Exception ex) {
 			throw new Saml2AuthenticationException(Saml2Error.invalidResponse(ex.getMessage()), ex);
--- a/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/web/OpenSaml4AuthenticationTokenConverter.java
+++ b/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/web/OpenSaml4AuthenticationTokenConverter.java
@ -101,4 +101,14 @@ public final class OpenSaml4AuthenticationTokenConverter implements Authenticati
 		this.delegate.setRequestMatcher(requestMatcher);
 	}

+	/**
+	 * Use the given {@code shouldConvertGetRequests} to convert {@code GET} requests.
+	 * Default is {@code true}.
+	 * @param shouldConvertGetRequests the {@code shouldConvertGetRequests} to use
+	 * @since 7.0
+	 */
+	public void setShouldConvertGetRequests(boolean shouldConvertGetRequests) {
+		this.delegate.setShouldConvertGetRequests(shouldConvertGetRequests);
+	}
+
 }
--- a/saml2/saml2-service-provider/src/opensaml5Main/java/org/springframework/security/saml2/provider/service/web/OpenSaml5AuthenticationTokenConverter.java
+++ b/saml2/saml2-service-provider/src/opensaml5Main/java/org/springframework/security/saml2/provider/service/web/OpenSaml5AuthenticationTokenConverter.java
@ -101,4 +101,14 @@ public final class OpenSaml5AuthenticationTokenConverter implements Authenticati
 		this.delegate.setRequestMatcher(requestMatcher);
 	}

+	/**
+	 * Use the given {@code shouldConvertGetRequests} to convert {@code GET} requests.
+	 * Default is {@code true}.
+	 * @param shouldConvertGetRequests the {@code shouldConvertGetRequests} to use
+	 * @since 7.0
+	 */
+	public void setShouldConvertGetRequests(boolean shouldConvertGetRequests) {
+		this.delegate.setShouldConvertGetRequests(shouldConvertGetRequests);
+	}
+
 }