Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Always require signature on either response or assertion

Browse Source 
Fixes gh-7490
https://github.com/spring-projects/spring-security/issues/7490
This commit is contained in:
Filip Hanik
2019-09-28 11:52:53 -07:00
parent d83aa34dde
commit 7adb4da3ef
3 changed files with 40 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
+1 -1
View File
@@ -254,7 +254,7 @@ public final class OpenSamlAuthenticationProvider implements AuthenticationProvi
}
try {
Assertion a = decrypt(token, ea);
validateAssertion(recipient, a, token, false);
validateAssertion(recipient, a, token, !responseSigned);
return a;
} catch (Saml2AuthenticationException e) {
lastValidationError = e;
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java
+36 -1
View File
@@ -216,12 +216,47 @@ public class OpenSamlAuthenticationProviderTests {
}
@Test
public void authenticateWhenEncryptedAssertionWithoutSignatureThenItSucceeds() throws Exception {
public void authenticateWhenEncryptedAssertionWithoutSignatureThenItFails() throws Exception {
Response response = response(recipientUri, idpEntityId);
Assertion assertion = defaultAssertion();
EncryptedAssertion encryptedAssertion = encryptAssertion(assertion, assertingPartyCredentials());
response.getEncryptedAssertions().add(encryptedAssertion);
token = responseXml(response, idpEntityId);
exception.expect(
authenticationMatcher(
Saml2ErrorCodes.INVALID_SIGNATURE
)
);
provider.authenticate(token);
}
@Test
public void authenticateWhenEncryptedAssertionWithSignatureThenItSucceeds() throws Exception {
Response response = response(recipientUri, idpEntityId);
Assertion assertion = defaultAssertion();
signXmlObject(
assertion,
assertingPartyCredentials(),
recipientEntityId
);
EncryptedAssertion encryptedAssertion = encryptAssertion(assertion, assertingPartyCredentials());
response.getEncryptedAssertions().add(encryptedAssertion);
token = responseXml(response, idpEntityId);
provider.authenticate(token);
}
@Test
public void authenticateWhenEncryptedAssertionWithResponseSignatureThenItSucceeds() throws Exception {
Response response = response(recipientUri, idpEntityId);
Assertion assertion = defaultAssertion();
EncryptedAssertion encryptedAssertion = encryptAssertion(assertion, assertingPartyCredentials());
response.getEncryptedAssertions().add(encryptedAssertion);
signXmlObject(
response,
assertingPartyCredentials(),
recipientEntityId
);
token = responseXml(response, idpEntityId);
provider.authenticate(token);
}