Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Always require signature on either response or assertion

Browse Source 
Fixes gh-7490
https://github.com/spring-projects/spring-security/issues/7490
This commit is contained in:
Filip Hanik
2019-09-28 11:52:53 -07:00
parent d83aa34dde
commit 7adb4da3ef
3 changed files with 40 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
samples/boot/saml2login/src/integration-test/java/org/springframework/security/samples/Saml2LoginIntegrationTests.java
+3 -2
View File
@@ -163,14 +163,15 @@ public class Saml2LoginIntegrationTests {
EncryptedAssertion encryptedAssertion =
OpenSamlActionTestingSupport.encryptAssertion(assertion, decodeCertificate(spCertificate));
Response response = buildResponse(encryptedAssertion);
signXmlObject(assertion, getSigningCredential(idpCertificate, idpPrivateKey, UsageType.SIGNING));
signXmlObject(response, getSigningCredential(idpCertificate, idpPrivateKey, UsageType.SIGNING));
sendResponse(response, "/")
.andExpect(authenticated().withUsername(USERNAME));
}
@Test
public void authenticateWhenResponseIsNotSignedAndAssertionIsEncryptedThenItSucceeds() throws Exception {
public void authenticateWhenResponseIsNotSignedAndAssertionIsEncryptedAndSignedThenItSucceeds() throws Exception {
Assertion assertion = buildAssertion(USERNAME);
signXmlObject(assertion, getSigningCredential(idpCertificate, idpPrivateKey, UsageType.SIGNING));
EncryptedAssertion encryptedAssertion =
OpenSamlActionTestingSupport.encryptAssertion(assertion, decodeCertificate(spCertificate));
Response response = buildResponse(encryptedAssertion);