diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java index b9fb1e451e..b52f115c6b 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java @@ -61,8 +61,6 @@ class OpenSamlAuthenticationRequestResolver { OpenSamlInitializationService.initialize(); } - private final RequestMatcher requestMatcher = new AntPathRequestMatcher("/saml2/authenticate/{registrationId}"); - private final RelyingPartyRegistrationResolver relyingPartyRegistrationResolver; private final AuthnRequestBuilder authnRequestBuilder; @@ -73,6 +71,8 @@ class OpenSamlAuthenticationRequestResolver { private final NameIDBuilder nameIdBuilder; + private RequestMatcher requestMatcher = new AntPathRequestMatcher("/saml2/authenticate/{registrationId}"); + private Converter relayStateResolver = (request) -> UUID.randomUUID().toString(); /** @@ -101,6 +101,10 @@ class OpenSamlAuthenticationRequestResolver { this.relayStateResolver = relayStateResolver; } + void setRequestMatcher(RequestMatcher requestMatcher) { + this.requestMatcher = requestMatcher; + } + T resolve(HttpServletRequest request) { return resolve(request, (registration, logoutRequest) -> { }); diff --git a/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolver.java b/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolver.java index 5637dc1680..937fe13b8b 100644 --- a/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolver.java +++ b/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolver.java @@ -28,6 +28,7 @@ import org.springframework.core.convert.converter.Converter; import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration; import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver; +import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; /** @@ -70,6 +71,19 @@ public final class OpenSaml4AuthenticationRequestResolver implements Saml2Authen this.contextConsumer = contextConsumer; } + /** + * Set the {@link RequestMatcher} to use for setting the + * {@link OpenSamlAuthenticationRequestResolver#setRequestMatcher(RequestMatcher)} + * (RequestMatcher)} + * @param requestMatcher the {@link RequestMatcher} to identify authentication + * requests. + * @since 5.8 + */ + public void setRequestMatcher(RequestMatcher requestMatcher) { + Assert.notNull(requestMatcher, "requestMatcher cannot be null"); + this.authnRequestResolver.setRequestMatcher(requestMatcher); + } + /** * Use this {@link Clock} for generating the issued {@link Instant} * @param clock the {@link Clock} to use diff --git a/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolverTests.java b/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolverTests.java index 0cfb1437c5..ac491d86be 100644 --- a/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolverTests.java +++ b/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolverTests.java @@ -29,6 +29,7 @@ import org.springframework.security.saml2.provider.service.registration.RelyingP import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding; import org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations; import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import static org.assertj.core.api.Assertions.assertThat; import static org.mockito.ArgumentMatchers.any; @@ -44,8 +45,7 @@ public class OpenSaml4AuthenticationRequestResolverTests { @BeforeEach void setup() { - this.request = new MockHttpServletRequest(); - this.request.setServletPath("/saml2/authenticate/registration-id"); + this.request = givenRequest("/saml2/authenticate/registration-id"); this.registration = TestRelyingPartyRegistrations.full().build(); } @@ -86,4 +86,25 @@ public class OpenSaml4AuthenticationRequestResolverTests { verify(relayState).convert(any()); } + @Test + void resolveWhenCustomAuthenticationUrlTHenUses() { + RelyingPartyRegistrationResolver relyingParties = mock(RelyingPartyRegistrationResolver.class); + given(relyingParties.resolve(any(), any())).willReturn(this.registration); + OpenSaml4AuthenticationRequestResolver resolver = new OpenSaml4AuthenticationRequestResolver(relyingParties); + resolver.setRequestMatcher(new AntPathRequestMatcher("/custom/authentication/{registrationId}")); + Saml2RedirectAuthenticationRequest authnRequest = resolver + .resolve(givenRequest("/custom/authentication/registration-id")); + + assertThat(authnRequest.getBinding()).isEqualTo(Saml2MessageBinding.REDIRECT); + assertThat(authnRequest.getAuthenticationRequestUri()) + .isEqualTo(this.registration.getAssertingPartyDetails().getSingleSignOnServiceLocation()); + + } + + private MockHttpServletRequest givenRequest(String path) { + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setServletPath(path); + return request; + } + }