From a884a45cb7b3444c8c5e0a40701e25d6c1b21e36 Mon Sep 17 00:00:00 2001 From: Roman_Dyndyn Date: Thu, 12 Oct 2023 10:46:44 +0300 Subject: [PATCH] Fix parsing of GET SAML logout requests --- ...outRequestValidatorParametersResolver.java | 2 +- ...questValidatorParametersResolverTests.java | 21 +++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolver.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolver.java index cb7dd845fc..7e005c79d2 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolver.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolver.java @@ -200,7 +200,7 @@ public final class OpenSamlLogoutRequestValidatorParametersResolver } private String inflateIfRequired(HttpServletRequest request, byte[] b) { - if (HttpMethod.GET.equals(request.getMethod())) { + if (HttpMethod.GET.matches(request.getMethod())) { return Saml2Utils.samlInflate(b); } return new String(b, StandardCharsets.UTF_8); diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolverTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolverTests.java index 5ea3b4e4c3..8e2ae5a393 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolverTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestValidatorParametersResolverTests.java @@ -115,6 +115,21 @@ public final class OpenSamlLogoutRequestValidatorParametersResolverTests { assertThat(parameters.getLogoutRequest().getSamlRequest()).isEqualTo(encoded); } + @Test + void saml2LogoutResolveWhenUnauthenticatedGetRequestThenInflates() { + String registrationId = this.registration.getRegistrationId(); + MockHttpServletRequest request = get("/logout/saml2/slo"); + String logoutRequest = serialize(TestOpenSamlObjects.logoutRequest()); + String encoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(logoutRequest)); + request.setParameter(Saml2ParameterNames.SAML_REQUEST, encoded); + given(this.registrations.findUniqueByAssertingPartyEntityId(TestOpenSamlObjects.ASSERTING_PARTY_ENTITY_ID)) + .willReturn(this.registration); + Saml2LogoutRequestValidatorParameters parameters = this.resolver.resolve(request, null); + assertThat(parameters.getAuthentication()).isNull(); + assertThat(parameters.getRelyingPartyRegistration().getRegistrationId()).isEqualTo(registrationId); + assertThat(parameters.getLogoutRequest().getSamlRequest()).isEqualTo(encoded); + } + @Test void saml2LogoutRegistrationIdResolveWhenNoMatchingRegistrationIdThenSaml2Exception() { MockHttpServletRequest request = post("/logout/saml2/slo/id"); @@ -129,6 +144,12 @@ public final class OpenSamlLogoutRequestValidatorParametersResolverTests { return request; } + private MockHttpServletRequest get(String uri) { + MockHttpServletRequest request = new MockHttpServletRequest("GET", uri); + request.setServletPath(uri); + return request; + } + private String serialize(XMLObject object) { try { Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(object);