Commit Graph

364 Commits

Author SHA1 Message Date
Phillip Webb 319d3364aa Migrate to assertThatExceptionOfType
Consistently use `assertThatExceptionOfType(...).isThrownBy(...)`
rather than `assertThatCode` or `assertThatThrownBy`. This aligns with
Spring Boot and Spring Cloud. It also allows the convenience
`assertThatIllegalArgument` and `assertThatIllegalState` methods to
be used.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb a5aa6b3d7f Remove blank lines from all tests
Remove all blank lines from test code so that test methods are
visually grouped together. This generally helps to make the test
classes easer to scan, however, the "given" / "when" / "then"
blocks used by some tests are now not as easy to discern.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 1f03608b73 Polish spring-security-saml2 main code
Manually polish `spring-security-saml2` following the formatting
and checkstyle fixes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 834dcf5bcf Use consistent ternary expression style
Update all ternary expressions so that the condition is always in
parentheses and "not equals" is used in the test. This helps to bring
consistency across the codebase which makes ternary expression easier
to scan.

For example: `a = (a != null) ? a : b`

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d3f039f76 Reduce method visibility when possible
Reduce method visibility for package private classes when possible.

In the case of abstract classes that will eventually be made public,
the class has been made public and a package-private constructor has
been added.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 52f20b5281 Use parenthesis with single-arg lambdas
Use regular expression search/replace to ensure all single-arg
lambdas have parenthesis. This aligns with the style used in Spring
Boot and ensure that single-arg and multi-arg lambdas are consistent.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 01d90c9881 Hide utility class constructors
Update all utility classes so that they have a private constructor. This
prevents users from accidentally creating an instance, when they should
just use the static methods directly.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb ff94944313 Add whitespace after copyright header
Add an additional lines after the copyright header and before the
`package` declaration. This aligns with the style used by Spring
Framework.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d80166aaf Update exception variable names
Consistently use `ex` for caught exception and `cause` for Exception
constructor arguments.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb e9130489a6 Remove restricted static imports
Replace static imports with class referenced methods. With the exception
of a few well known static imports, checkstyle restricts the static
imports that a class can use. For example, `asList(...)` would be
replaced with `Arrays.asList(...)`.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb db55ef4b3b Migrate to BDD Mockito
Migrate Mockito imports to use the BDD variant. This aligns better with
the "given" / "when" / "then" style used in most tests since the "given"
block now uses Mockito `given(...)` calls.

The commit also updates a few tests that were accidentally using
Power Mockito when regular Mockito could be used.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 81fe9fc640 Make all exception classes immutable
Update all exception classes so that they are fully immutable and cannot
be changed once they have been thrown.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb a0b9442265 Use consistent modifier order
Update code to use a consistent modifier order that aligns with that
used in the "Java Language specification".

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb a2f2e9ac8d Move inner-types so that they are always last
Move all inner-types so that they are consistently the last item
defined. This aligns with the style used by Spring Framework and
the consistency generally makes it easier to scan the source.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 9e08b51ed3 Apply code cleanup rules to projects
Apply automated cleanup rules to add `@Override` and `@Deprecated`
annotations and to fix class references used with static methods.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 8866fa6fb0 Always use 'this.' when accessing fields
Apply an Eclipse cleanup rules to ensure that fields are always accessed
using `this.`. This aligns with the style used by Spring Framework and
helps users quickly see the difference between a local and member
variable.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 6894ff5d12 Make classes final where possible
Update classes that have private constructors so that they are also
declared final. In a few cases, inner-classes used private constructors
but were subclassed. These have now been changed to have package-private
constructors.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 37fa94fafc Organize imports
Use "organize imports" from Eclipse to cleanup import statements so
that they appear in a consistent and well defined order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 5f64f53c3f Use consistent "@" tag order in Javadoc
Ensure that Javadoc "@" tags appear in a consistent and well defined
order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb b7fc18262d Reformat code using spring-javaformat
Run `./gradlew format` to reformat all java files.

Issue gh-8945
2020-08-24 17:32:56 -05:00
Josh Cummings 21e9a410ee
Remove Package Tangle
Issue gh-8876
2020-08-19 15:52:20 -06:00
Josh Cummings af5c55c380
Polish AuthnRequest Customization Support
Having the application generate the AuthnRequest fresh allows Spring
Security to back away more gracefully. Using a Consumer implies that
the application will need to undo any values that Spring Security set
that the application doesn't want.

Also, if this does become a configuration burden, it can be simplified
in a separate ticket by exposing the default Converter.

Issue gh-8776
2020-08-19 14:27:31 -06:00
Josh Cummings 3694485056
Polish SAML 2.0 Default Assertion Validator
In several cases, taking a pre-set ValidationContext is not sufficient.
For example, the recipient is calculated via the
RelyingPartyRegistration that's currently in the context of the
request.

Instead, then, createDefaultAssertionValidator was broken up into two
different methods: One that takes no parameters and assumes the class's
default ValidationContext, and another that takes a converter to derive
the ValidationContext from the incoming authentication token.

Issue gh-8970
2020-08-19 13:58:42 -06:00
Josh Cummings da7477cd41
Add Response to Authentication Conversion Support
Closes gh-8010
2020-08-18 17:49:34 -06:00
Josh Cummings 0c696dd58b
Remove XSAnyMarshaller AttributeValue Support
In favor of customizing the authentication converter

Closes gh-8864
2020-08-18 17:42:04 -06:00
Josh Cummings 7b3dda161b
Generalize SAML 2.0 Assertion Validation Support
Closes gh-8970
2020-08-18 12:23:42 -06:00
Phillip Webb 27ac046d8a Rename *Test.java -> *Tests.java
Rename a few test classes that accidentally ended in `Test` instead of
`Tests`.

Issue gh-8945
2020-08-10 16:24:44 -05:00
Joe Grandja 1d74d556c2 Revert "Lock Dependency Versions for 5.4.0-RC1"
This reverts commit f3a1e5d40c.
2020-08-05 14:59:11 -04:00
Joe Grandja f3a1e5d40c Lock Dependency Versions for 5.4.0-RC1 2020-08-05 13:46:11 -04:00
Josh Cummings a701555318
Polish Saml2AuthenticationTokenConverter
Issue gh-8768
2020-08-05 10:08:47 -06:00
Josh Cummings f82190b414
Add RelyingPartyRegistrations
Closes gh-8484
2020-08-05 10:08:47 -06:00
Josh Cummings 506786f46e
Replaced Spaces with Tabs
Updated the .gradle file for SAML 2.0 Service Provider to use tabs
2020-08-05 10:08:47 -06:00
Josh Cummings b999faa5a0
Complete SAML 2.0 SP Metadata Endpoint
Closes gh-8693
2020-08-05 10:08:47 -06:00
Jakub Kubrynski 8a355240bc
SAML 2.0 SP Metadata Endpoint Support
Issue gh-8693
2020-08-05 10:08:47 -06:00
Josh Cummings 31bae546e2
Removed Unused Files
Saml2Utils and Saml2ServletUtils are no longer used

Issue gh-8768
2020-08-05 10:08:46 -06:00
Josh Cummings 5061ae9e79
Add Saml2AuthenticationTokenConverter
Closes gh-8768
2020-08-04 18:41:43 -06:00
Josh Cummings a10c2c6cf8
Polish DefaultSaml2AuthenticationRequestContextResolver
Issue gh-8360
Issue gh-8887
2020-08-04 17:29:13 -06:00
Josh Cummings 015281ff53
Add DefaultRelyingPartyRegistrationResolver
Closes gh-8887
2020-08-04 17:29:10 -06:00
Josh Cummings a402c3884a
Add ConditionValidator Support
Closes gh-8769
2020-08-04 13:05:23 -06:00
Josh Cummings d9d8253603
Polish OpenSamlAuthenticationProvider
Issue gh-8769
2020-08-04 13:05:23 -06:00
Josh Cummings a32de931d3
Polish Javadoc
Issue gh-6019
2020-07-28 16:04:06 -06:00
Josh Cummings 79dca94ce1
Simplify Tests
Issue gh-8772
2020-07-24 17:44:10 -06:00
Joakim Löfgren eccd929819 Update SimpleSaml2AuthenticatedPrincipal class name
Rename it to DefaultSaml2AuthenticatedPrincipal to be more in line with
the respective class in the OAuth2 module.

Also make the class public to be able to whitelist the SAML2 auth classes
in Jackson object mappers for deserialization in e.g. Spring Session MongoDB.

Closes gh-8852
2020-07-23 16:53:32 -06:00
Josh Cummings 08849e2652
Remove OpenSamlImplementation
Closes gh-8775
2020-07-23 16:09:02 -06:00
Josh Cummings 5779121da6
OpenSamlAuthenticationRequestFactory Uses OpenSAML Directly
Closes gh-8774
2020-07-23 16:09:02 -06:00
Josh Cummings 2e2da06bdb
OpenSamlAuthenticationProvider Uses OpenSAML Directly
Closes gh-8773
2020-07-23 16:09:02 -06:00
Josh Cummings 77128a94e2
Add OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter
Closes gh-8877
2020-07-23 15:32:22 -06:00
Josh Cummings 2276fcf34a
Add OpenSamlInitializationService
Closes gh-8772
2020-07-23 15:03:16 -06:00
Josh Cummings 43f2904059
Add ACS Location Default
Closes gh-8876
2020-07-23 15:03:16 -06:00
Josh Cummings 97ccbe5df2
Polish Saml2X509Credential Factories
Issue gh-8789
2020-07-20 15:50:16 -06:00
Thomas Vitale 3978cc591f
Add Static Factories to Saml2X509Credential
- Add static factories to Saml2X509Credential for verification, encryption,
signing, and decryption.
- Add unit tests for new static factories in Saml2X509Credential.

Fixes gh-8789
2020-07-20 15:29:48 -06:00
Josh Cummings 56928f61f0
Separate RP and AP Credentials
Closes gh-8788
2020-07-20 14:19:33 -06:00
Josh Cummings a54e77a3c3
Saml2AuthenticationToken takes a RelyingPartyRegistration
Closes gh-8845
2020-07-17 12:19:27 -06:00
Josh Cummings 44ec061f05
Add AssertionConsumerServiceBinding
Closes gh-8776
2020-07-16 16:22:38 -06:00
Josh Cummings 2c960d2ad1
Add AuthnRequestConsumerResolver
Closes gh-8141
2020-07-16 14:53:22 -06:00
Josh Cummings 2e5c87dc75
Restore Binary Compatibility
Issue gh-8835
2020-07-16 11:10:20 -06:00
Josh Cummings b02e344c73
Move Saml2Error
Move to core package

Closes gh-8835
2020-07-15 20:09:45 -06:00
Josh Cummings 5bfc6ea25a
Refactor OpenSamlAuthenticationProvider
Refactored into collaborators in preparation for introducing setters

Issue gh-8769
2020-07-14 18:15:18 -06:00
Josh Cummings 8e8a642e5a
Use Spec Language in RelyingPartyRegistration
Changed conventions to better follow the metadata descriptors that
the registration is meant to represent.

Closes gh-8777
2020-07-07 17:12:39 -06:00
Josh Cummings 146d0b6358
Revert "Lock Dependency Versions for 5.4.0-M2"
This reverts commit 68538897c8.
2020-07-01 13:11:50 -06:00
Josh Cummings 68538897c8
Lock Dependency Versions for 5.4.0-M2 2020-07-01 12:40:29 -06:00
Josh Cummings a344dbdb8c
Use AssertJ
Issue gh-3384
2020-06-18 11:54:33 -06:00
Josh Cummings 360db53dd2
Polish SAML Attribute Support
Issue gh-8661
2020-06-18 11:42:49 -06:00
Nikola Kostic eed33228f4
Add SAML Attribute Support
Closes gh-8661
2020-06-18 11:42:48 -06:00
Josh Cummings 8e7c4c143c
Add TestSaml2AuthenticationRequestContexts
Issue gh-8552
2020-05-18 21:08:03 -06:00
Josh Cummings 9241cd2892
Move TestRelyingPartyRegistrations
Fixes gh-8551
2020-05-18 16:38:40 -06:00
Josh Cummings 7c7934c052
Remove Extra TestSaml2X509Credentials
This class is a duplicate of the one already in
org.springframework.security.saml2.credentials

Issue gh-8404
2020-05-18 10:08:27 -06:00
Joe Grandja 86ca6b013c Unlock dependencies
This reverts commit 206960cf44.
2020-05-06 17:27:35 -04:00
Joe Grandja 206960cf44 Lock dependencies for 5.4.0-M1 2020-05-06 17:13:04 -04:00
Josh Cummings d4dbe069ad Polish OpenSamlAuthenticationProvider
- Use type-safe CriteriaSet
- Keep Assertion immutable

Closes gh-8471
2020-05-05 16:33:17 -04:00
Josh Cummings 1da694e19c
Remove TestSaml2SigningCredentials
Since TestSaml2X509Credentials is where tests get Saml2X509Credentials,
there is no reason for TestSaml2SigningCredentials.

Issue gh-8404
2020-04-17 15:46:19 -06:00
Josh Cummings ab772893c7
Polish DefaultSaml2AuthenticationRequestContextResolver
- Added more tests
- Standardized terminology

Issue gh-8360
2020-04-17 15:46:14 -06:00
shazin 8c0bdd50e2
Delegating Saml2AuthenticationRequestContext creation to Saml2AuthenticationRequestContextResolver
Saml2AuthenticationRequestContext creation logic is not extensible at
the moment as it is provided inside of Saml2WebSsoAuthenticationRequestFilter.
This change enables to custom logic to be used when creating Saml2AuthenticationRequestContext by
taking the logic from the aforementioned filter to a seperate extensible
API by the name Saml2AuthenticationRequestContextResolver.

This provides following API contract and implementation:

 - Saml2AuthenticationRequestContextResolver
 - DefaultSaml2AuthenticationRequestContextResolver

Fixes gh-8360
2020-04-17 15:40:24 -06:00
Josh Cummings 8904361a37
Polish Saml Tests
Fixes gh-8403
Fixes gh-8404
2020-04-16 17:10:51 -06:00
Josh Cummings 7056c2d9de
Polish OpenSamlAuthenticationProviderTests
- Added missing this keywords
- Removed unused variables
- Coded to interfaces
- Added missing JavaDoc

Issue gh-6019
2020-04-16 17:09:46 -06:00
shazin 4e5a3a76cd
Open Saml2AuthenticationRequestContext
Fixed gh-8356
2020-04-13 23:58:12 -06:00
Josh Cummings 95f0d02d79
Polish Saml2WebSsoAuthenticationRequestFilter
- Updated formatting
- Reordered methods
- Removed a method

These changes will hopefully simplify future contribution.

Issue gh-6019
2020-04-08 16:27:46 -06:00
Josh Cummings 711954e016
Deprecate Saml2AuthenticationRequestFilter Constructor
Removing the default usage of OpenSamlAuthenticationRequestFactory.
Otherwise, the Open SAML dependency is required, even when
Saml2AuthenticationRequestFactory is implemented without it.

Fixes gh-8359
2020-04-08 16:27:46 -06:00
Josh Cummings 887cb99926
Saml2AuthenticationRequestFilter Tests
To confirm behavior still works as expected after making related changes.

Issue gh-8359
2020-04-08 16:27:46 -06:00
Josh Cummings 0ca65f8677
Add Missing JavaDoc
Issue gh-6019
2020-04-08 16:27:46 -06:00
Josh Cummings 7f2f210eb8
Simplify OpenSamlImplementation
- Removed reflection usage
- Simplified method signatures

Issue gh-7711
Fixes gh-8147
2020-03-20 12:13:14 -06:00
Josh Cummings 088ea07f07
Simplify Saml2ServletUtils
Removed one method as well as a parameter from another method

Issue gh-7711
2020-03-20 12:13:14 -06:00
Josh Cummings 6eadf7b140
Unlock dependencies for 5.3.0.RELEASE
This reverts commit 147d7dadd7.
2020-03-04 12:02:48 -07:00
Josh Cummings 147d7dadd7
Lock dependencies for 5.3.0.RELEASE 2020-03-04 10:28:39 -07:00
Filip Hanik 3257349045 Support POST binding for AuthNRequest
Has been tested with

- Keycloak
- SSOCircle
- Okta
- SimpleSAMLPhp

This PR extends (builds on previous commits and adds user configuration
options)
https://github.com/spring-projects/spring-security/pull/7758
2020-02-28 09:15:26 -08:00
Filip Hanik a51a202925 Correct signature handling for SAML2 AuthNRequest
Implements the following bindings for AuthNRequest
- REDIRECT
- POST (future PR)

Has been tested with
- Keycloak
- SSOCircle
- Okta
- SimpleSAMLPhp

Fixes gh-7711
2020-02-12 13:30:48 -08:00
Filip Hanik 43098d41cc Revert "Correct signature handling for SAML2 AuthNRequest"
This reverts commit a3e09fadd7.
Build failure on Java 9+

XML generation does not add linefeeds by default
Change since Java 8
2020-02-12 13:30:48 -08:00
Filip Hanik a3e09fadd7 Correct signature handling for SAML2 AuthNRequest
Implements the following bindings for AuthNRequest
- REDIRECT
- POST (future PR)

Has been tested with
- Keycloak
- SSOCircle
- Okta
- SimpleSAMLPhp

Fixes gh-7711
2020-02-12 11:40:19 -08:00
Eleftheria Stein 84b8a5abd7 Unlock dependencies for next development version
This reverts commit 064616f1ef.
2020-02-05 15:53:04 +01:00
Eleftheria Stein 064616f1ef Lock dependencies for 5.3.0.RC1 2020-02-05 10:20:05 +01:00
Eleftheria Stein 5678490c1f Add relying party registration not found exception
Fixes: gh-7865
2020-02-04 09:58:54 +01:00
Eleftheria Stein fcc6457bef Unlock dependencies for next development version
This reverts commit 93acf8f0f1.
2020-01-08 22:15:17 +01:00
Eleftheria Stein 93acf8f0f1 Lock dependencies for 5.3.0.M1 2020-01-08 19:41:10 +01:00
Filip Hanik 9d26f12e86 Add an example of Base64 encoding that failed with java.util.Base64
Revert usage to Apache Commons Codec (dependency by OpenSaml)
2020-01-01 15:45:10 -08:00
Filip Hanik af415948b1 Allow configuration of AuthenticationManagerResolver in saml2Login()
Fixes gh-7654

https://github.com/spring-projects/spring-security/issues/7654
2019-12-17 13:34:27 -08:00
Eleftheria Stein da3f18017d Polish SAML2 principal classes
Update @since

Issue: gh-7681
2019-12-12 20:22:58 +01:00
Clement Stoquart 31b999e9b4 fix: make Saml2Authentication serializable 2019-12-12 17:11:00 +01:00
Clement Stoquart 0c47bfb1e3 Remove empty relay state from redirect url 2019-12-10 09:49:54 -08:00
Filip Hanik 0cafcf37e2 Make the loginProcessingUrl configurable for saml2Login()
Fixes gh-7565

https://github.com/spring-projects/spring-security/issues/7565
2019-10-31 08:20:12 -07:00
Mike Truso a4430aa21b Fix variable reference in sample code 2019-10-29 14:04:05 -06:00
Filip Hanik 0f14844acf We will not validate IP addresses as part of assertion validation
Fixes gh-7514

https://github.com/spring-projects/spring-security/issues/7514
2019-10-28 20:08:42 -07:00
Brendt Lucas 8ebfba3019 Support configuration of protocol binding for authentication requests 2019-10-15 15:57:45 -05:00
Filip Hanik 83b5f5c7ae Improve the Saml2AuthenticationRequest object
- introduce the AssertionConsumerServiceURL attribute
- add javadoc
- align property name with SAML XML for AuthNRequest
2019-09-30 11:01:34 -07:00
Filip Hanik 9731386de5 Correctly set "Destination" in AuthNRequest message
Fixes gh-7494
https://github.com/spring-projects/spring-security/issues/7494
2019-09-30 11:01:34 -07:00
Filip Hanik 69eacac514 Fix javadoc for RelyingPartyRegistrationRepository 2019-09-30 09:22:36 -07:00
Filip Hanik 7adb4da3ef Always require signature on either response or assertion
Fixes gh-7490
https://github.com/spring-projects/spring-security/issues/7490
2019-09-30 09:22:36 -07:00
Filip Hanik 22da2b45c9 SAML Assertion validation should propagate errors: #7375 and #7375
Fixes gh-7377
Fixes gh-7375

https://github.com/spring-projects/spring-security/issues/7377
https://github.com/spring-projects/spring-security/issues/7375

Clean up code

- Authentication request factory should only throw Saml2Exception
- OpenSamlImplementation should only throw Saml2Exception
- Move the OpenSamlImplementation package private methods to the right
section
2019-09-27 09:07:25 -07:00
Filip Hanik b6a057a925 OpenSAML expects type `long` representing millis for response time validation skew
Fixes gh-7448

https://github.com/spring-projects/spring-security/issues/7448
2019-09-27 09:07:25 -07:00
Filip Hanik adde18b873 Revert "Merge pull request #7432 from fhanik/feature/propagate_saml_authentication_exception"
This reverts commit e9619fb0e7, reversing
changes made to 45a1490d5d.
2019-09-24 16:05:09 -07:00
Filip Hanik d472e99528 SAML Assertion validation should propagate errors: #7375 and #7375
Fixes gh-7377
Fixes gh-7375

https://github.com/spring-projects/spring-security/issues/7377
https://github.com/spring-projects/spring-security/issues/7375
2019-09-24 14:40:39 -07:00
Filip Hanik 20033ffd4a OpenSAML expects type `long` representing millis for response time validation skew
Fixes gh-7448

https://github.com/spring-projects/spring-security/issues/7448
2019-09-24 14:40:39 -07:00
Filip Hanik 438ae215f8 Upgrade to OpenSAML 3.4.3
Fixes gh-7392
2019-09-06 08:04:15 -07:00
Josh Cummings c716b400a1
Update to OpenSaml 3.3.1
Fixes gh-7388
2019-09-06 07:20:13 -06:00
Filip Hanik e9a44bc0ce HttpSecurity.saml2login() - MVP Core Code
Implements minimal SAML 2.0 login/authentication functionality with the
following feature set:

  - Supports IDP initiated login at the default url of /login/saml2/sso/{registrationId}
  - Supports SP initiated login at the default url of /saml2/authenticate/{registrationId}
  - Supports basic java-configuration via DSL
  - Provides an integration sample using Spring Boot

Not implemented with this MVP

  - Single Logout
  - Dynamic Service Provider Metadata

Fixes gh-6019
2019-09-05 14:40:08 -07:00