diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2WebSsoAuthenticationRequestFilter.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2WebSsoAuthenticationRequestFilter.java index 591040b410..93c7df405b 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2WebSsoAuthenticationRequestFilter.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2WebSsoAuthenticationRequestFilter.java @@ -24,17 +24,17 @@ import jakarta.servlet.ServletException; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; -import org.springframework.http.MediaType; import org.springframework.security.saml2.core.Saml2ParameterNames; import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest; import org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest; import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration; import org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver; +import org.springframework.security.web.FormPostRedirectStrategy; +import org.springframework.security.web.RedirectStrategy; import org.springframework.util.Assert; import org.springframework.util.StringUtils; import org.springframework.web.filter.OncePerRequestFilter; -import org.springframework.web.util.HtmlUtils; import org.springframework.web.util.UriComponentsBuilder; import org.springframework.web.util.UriUtils; @@ -67,6 +67,8 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter private Saml2AuthenticationRequestRepository authenticationRequestRepository = new HttpSessionSaml2AuthenticationRequestRepository(); + private final RedirectStrategy formPostRedirectStrategy = new FormPostRedirectStrategy(); + /** * Construct a {@link Saml2WebSsoAuthenticationRequestFilter} with the strategy for * resolving the {@code AuthnRequest} @@ -132,54 +134,11 @@ public class Saml2WebSsoAuthenticationRequestFilter extends OncePerRequestFilter private void sendPost(HttpServletRequest request, HttpServletResponse response, Saml2PostAuthenticationRequest authenticationRequest) throws IOException { this.authenticationRequestRepository.saveAuthenticationRequest(authenticationRequest, request, response); - String html = createSamlPostRequestFormData(authenticationRequest); - response.setContentType(MediaType.TEXT_HTML_VALUE); - response.getWriter().write(html); - } - - private String createSamlPostRequestFormData(Saml2PostAuthenticationRequest authenticationRequest) { - String authenticationRequestUri = authenticationRequest.getAuthenticationRequestUri(); - String relayState = authenticationRequest.getRelayState(); - String samlRequest = authenticationRequest.getSamlRequest(); - StringBuilder html = new StringBuilder(); - html.append("\n"); - html.append("\n").append(" \n"); - html.append(" ex.getSaml2Error().getErrorCode().equals(Saml2ErrorCodes.INVALID_REQUEST))); @@ -194,7 +194,7 @@ public class Saml2LogoutRequestFilterTests { this.logoutRequestProcessingFilter.doFilterInternal(request, response, new MockFilterChain()); - checkResponse(response.getContentAsString(), registration); + checkResponse(response, registration); verify(this.logoutResponseResolver).resolve(any(), any(), argThat((ex) -> ex.getSaml2Error().getErrorCode().equals(Saml2ErrorCodes.INVALID_DESTINATION))); verifyNoInteractions(this.logoutHandler); @@ -225,7 +225,7 @@ public class Saml2LogoutRequestFilterTests { this.logoutRequestProcessingFilter.doFilterInternal(request, response, new MockFilterChain()); - checkResponse(response.getContentAsString(), registration); + checkResponse(response, registration); verify(this.logoutResponseResolver).resolve(any(), any(), argThat((ex) -> ex.getSaml2Error().getErrorCode().equals(Saml2ErrorCodes.INVALID_REQUEST))); verifyNoInteractions(this.logoutHandler); @@ -259,15 +259,14 @@ public class Saml2LogoutRequestFilterTests { verifyNoInteractions(this.logoutHandler); } - private void checkResponse(String responseContent, RelyingPartyRegistration registration) { + private void checkResponse(MockHttpServletResponse response, RelyingPartyRegistration registration) + throws Exception { + String responseContent = response.getContentAsString(); assertThat(responseContent).contains(Saml2ParameterNames.SAML_RESPONSE); assertThat(responseContent) .contains(registration.getAssertingPartyMetadata().getSingleLogoutServiceResponseLocation()); - assertThat(responseContent).contains( - "