Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Polish AuthnRequestsSigned support 

Issue gh-12604
This commit is contained in:
Josh Cummings 2023-03-20 13:58:09 -06:00
parent 21d919169a
commit fd6aecf8da
3 changed files with 29 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java
View File

@ -148,7 +148,7 @@ public class RelyingPartyRegistration {
.singleLogoutServiceLocation(this.singleLogoutServiceLocation) .singleLogoutServiceLocation(this.singleLogoutServiceLocation)
.singleLogoutServiceResponseLocation(this.singleLogoutServiceResponseLocation) .singleLogoutServiceResponseLocation(this.singleLogoutServiceResponseLocation)
.singleLogoutServiceBindings((c) -> c.addAll(this.singleLogoutServiceBindings)) .singleLogoutServiceBindings((c) -> c.addAll(this.singleLogoutServiceBindings))
.nameIdFormat(this.nameIdFormat) .nameIdFormat(this.nameIdFormat).authnRequestsSigned(this.authnRequestsSigned)
.assertingPartyDetails((assertingParty) -> assertingParty.entityId(party.getEntityId()) .assertingPartyDetails((assertingParty) -> assertingParty.entityId(party.getEntityId())
.wantAuthnRequestsSigned(party.getWantAuthnRequestsSigned()) .wantAuthnRequestsSigned(party.getWantAuthnRequestsSigned())
.signingAlgorithms((algorithms) -> algorithms.addAll(party.getSigningAlgorithms())) .signingAlgorithms((algorithms) -> algorithms.addAll(party.getSigningAlgorithms()))
@ -285,12 +285,20 @@ public class RelyingPartyRegistration {
} }
/** /**
* Get the WantAuthnRequestsSigned setting * Get the <a href=
* @return the WantAuthnRequestsSigned setting * "https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf#page=18">
* @since 6.0 * AuthnRequestsSigned</a> setting. If {@code true}, the relying party will sign all
* AuthnRequests, regardless of asserting party preference.
*
* <p>
* Note that Spring Security will sign the request if either
* {@link #isAuthnRequestsSigned()} is {@code true} or
* {@link AssertingPartyDetails#getWantAuthnRequestsSigned()} is {@code true}.
* @return the relying-party preference
* @since 6.1
*/ */
public boolean isAuthnRequestsSigned() { public boolean isAuthnRequestsSigned() {
return authnRequestsSigned; return this.authnRequestsSigned;
} }
/** /**
@ -368,8 +376,7 @@ public class RelyingPartyRegistration {
.singleLogoutServiceLocation(registration.getSingleLogoutServiceLocation()) .singleLogoutServiceLocation(registration.getSingleLogoutServiceLocation())
.singleLogoutServiceResponseLocation(registration.getSingleLogoutServiceResponseLocation()) .singleLogoutServiceResponseLocation(registration.getSingleLogoutServiceResponseLocation())
.singleLogoutServiceBindings((c) -> c.addAll(registration.getSingleLogoutServiceBindings())) .singleLogoutServiceBindings((c) -> c.addAll(registration.getSingleLogoutServiceBindings()))
.nameIdFormat(registration.getNameIdFormat()) .nameIdFormat(registration.getNameIdFormat()).authnRequestsSigned(registration.isAuthnRequestsSigned())
.authnRequestsSigned(registration.isAuthnRequestsSigned())
.assertingPartyDetails((assertingParty) -> assertingParty .assertingPartyDetails((assertingParty) -> assertingParty
.entityId(registration.getAssertingPartyDetails().getEntityId()) .entityId(registration.getAssertingPartyDetails().getEntityId())
.wantAuthnRequestsSigned(registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()) .wantAuthnRequestsSigned(registration.getAssertingPartyDetails().getWantAuthnRequestsSigned())
@ -990,10 +997,17 @@ public class RelyingPartyRegistration {
} }
/** /**
* Set the AuthnRequestsSigned setting * Set the <a href=
* @param authnRequestsSigned * "https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf#page=18">
* AuthnRequestsSigned</a> setting. If {@code true}, the relying party will sign
* all AuthnRequests, 301 asserting party preference.
*
* <p>
* Note that Spring Security will sign the request if either
* {@link #isAuthnRequestsSigned()} is {@code true} or
* {@link AssertingPartyDetails#getWantAuthnRequestsSigned()} is {@code true}.
* @return the {@link Builder} for further configuration * @return the {@link Builder} for further configuration
* @since 6.0 * @since 6.1
*/ */
public Builder authnRequestsSigned(Boolean authnRequestsSigned) { public Builder authnRequestsSigned(Boolean authnRequestsSigned) {
this.authnRequestsSigned = authnRequestsSigned; this.authnRequestsSigned = authnRequestsSigned;

6
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java
View File

@ -142,7 +142,8 @@ class OpenSamlAuthenticationRequestResolver {
String relayState = this.relayStateResolver.convert(request); String relayState = this.relayStateResolver.convert(request);
Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleSignOnServiceBinding(); Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleSignOnServiceBinding();
if (binding == Saml2MessageBinding.POST) { if (binding == Saml2MessageBinding.POST) {
if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned() || registration.isAuthnRequestsSigned()) { if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()
|| registration.isAuthnRequestsSigned()) {
OpenSamlSigningUtils.sign(authnRequest, registration); OpenSamlSigningUtils.sign(authnRequest, registration);
} }
String xml = serialize(authnRequest); String xml = serialize(authnRequest);
@ -156,7 +157,8 @@ class OpenSamlAuthenticationRequestResolver {
Saml2RedirectAuthenticationRequest.Builder builder = Saml2RedirectAuthenticationRequest Saml2RedirectAuthenticationRequest.Builder builder = Saml2RedirectAuthenticationRequest
.withRelyingPartyRegistration(registration).samlRequest(deflatedAndEncoded).relayState(relayState) .withRelyingPartyRegistration(registration).samlRequest(deflatedAndEncoded).relayState(relayState)
.id(authnRequest.getID()); .id(authnRequest.getID());
if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned() || registration.isAuthnRequestsSigned()) { if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()
|| registration.isAuthnRequestsSigned()) {
Map<String, String> parameters = OpenSamlSigningUtils.sign(registration) Map<String, String> parameters = OpenSamlSigningUtils.sign(registration)
.param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded) .param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded)
.param(Saml2ParameterNames.RELAY_STATE, relayState).parameters(); .param(Saml2ParameterNames.RELAY_STATE, relayState).parameters();

3
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrationTests.java
View File

@ -29,8 +29,7 @@ public class RelyingPartyRegistrationTests {
@Test @Test
public void withRelyingPartyRegistrationWorks() { public void withRelyingPartyRegistrationWorks() {
RelyingPartyRegistration registration = TestRelyingPartyRegistrations.relyingPartyRegistration() RelyingPartyRegistration registration = TestRelyingPartyRegistrations.relyingPartyRegistration()
.nameIdFormat("format") .nameIdFormat("format").authnRequestsSigned(true)
.authnRequestsSigned(true)
.assertingPartyDetails((a) -> a.singleSignOnServiceBinding(Saml2MessageBinding.POST)) .assertingPartyDetails((a) -> a.singleSignOnServiceBinding(Saml2MessageBinding.POST))
.assertingPartyDetails((a) -> a.wantAuthnRequestsSigned(false)) .assertingPartyDetails((a) -> a.wantAuthnRequestsSigned(false))
.assertingPartyDetails((a) -> a.signingAlgorithms((algs) -> algs.add("alg"))) .assertingPartyDetails((a) -> a.signingAlgorithms((algs) -> algs.add("alg")))