From d3b143dab6ea952d6d1af9058f14805bfd425473 Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Thu, 14 Aug 2025 18:03:44 -0600 Subject: [PATCH] Move SAML 2.0 Migration Step Issue gh-17099 --- .../ROOT/pages/migration/servlet/oauth2.adoc | 37 ------------------- .../ROOT/pages/migration/servlet/saml2.adoc | 37 +++++++++++++++++++ 2 files changed, 37 insertions(+), 37 deletions(-) diff --git a/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc b/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc index 1d6690f0fc..7594dda0a4 100644 --- a/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc +++ b/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc @@ -79,43 +79,6 @@ fun jwtDecoder(): JwtDecoder { <1> - `validateTypes` now defaults to `false` <2> - `JwtTypeValidator#jwt` is added by all `createDefaultXXX` methods -== Do Not Process `` GET Requests with `Saml2AuthenticationTokenConverter` - -Spring Security does not support processing `` payloads over GET as this is not supported by the SAML 2.0 spec. - -To better comply with this, `Saml2AuthenticationTokenConverter` and `OpenSaml5AuthenticationTokenConverter` will not process GET requests by default as of Spring Security 8. -To prepare for this, the property `shouldConvertGetRequests` is available. -To use it, publish your own converter like so: - -[tabs] -====== -Java:: -+ -[source,java,role="primary"] ----- -@Bean -OpenSaml5AuthenticationTokenConverter authenticationConverter(RelyingPartyRegistrationRepository registrations) { - OpenSaml5AuthenticationTokenConverter authenticationConverter = new OpenSaml5AuthenticationTokenConverter(registrations); - authenticationConverter.setShouldConvertGetRequests(false); - return authenticationConverter; -} ----- - -Kotlin:: -+ -[source,kotlin,role="secondary"] ----- -@Bean -fun authenticationConverter(val registrations: RelyingPartyRegistrationRepository): Saml2AuthenticationTokenConverter { - val authenticationConverter = Saml2AuthenticationTokenConverter(registrations) - authenticationConverter.setShouldConvertGetRequests(false) - return authenticationConverter -} ----- -====== - -If you must continue using `Saml2AuthenticationTokenConverter` or `OpenSaml5AuthenticationTokenConverter` to process GET requests, you can call `setShouldConvertGetRequests` to `true.` - == Provide an AuthenticationConverter to BearerTokenAuthenticationFilter In Spring Security 7, `BearerTokenAuthenticationFilter#setBearerTokenResolver` and `#setAuthenticaionDetailsSource` are deprecated in favor of configuring those on `BearerTokenAuthenticationConverter`. diff --git a/docs/modules/ROOT/pages/migration/servlet/saml2.adoc b/docs/modules/ROOT/pages/migration/servlet/saml2.adoc index 8ca5cc3d55..b30f59ef2f 100644 --- a/docs/modules/ROOT/pages/migration/servlet/saml2.adoc +++ b/docs/modules/ROOT/pages/migration/servlet/saml2.adoc @@ -108,3 +108,40 @@ fun authenticationProvider(): OpenSaml5AuthenticationProvider { ====== If you are constructing a `Saml2Authentication` instance yourself, consider changing to `Saml2AssertionAuthentication` to get the same benefit as the current default. + +== Do Not Process `` GET Requests with `Saml2AuthenticationTokenConverter` + +Spring Security does not support processing `` payloads over GET as this is not supported by the SAML 2.0 spec. + +To better comply with this, `Saml2AuthenticationTokenConverter` and `OpenSaml5AuthenticationTokenConverter` will not process GET requests by default as of Spring Security 8. +To prepare for this, the property `shouldConvertGetRequests` is available. +To use it, publish your own converter like so: + +[tabs] +====== +Java:: ++ +[source,java,role="primary"] +---- +@Bean +OpenSaml5AuthenticationTokenConverter authenticationConverter(RelyingPartyRegistrationRepository registrations) { + OpenSaml5AuthenticationTokenConverter authenticationConverter = new OpenSaml5AuthenticationTokenConverter(registrations); + authenticationConverter.setShouldConvertGetRequests(false); + return authenticationConverter; +} +---- + +Kotlin:: ++ +[source,kotlin,role="secondary"] +---- +@Bean +fun authenticationConverter(val registrations: RelyingPartyRegistrationRepository): Saml2AuthenticationTokenConverter { + val authenticationConverter = Saml2AuthenticationTokenConverter(registrations) + authenticationConverter.setShouldConvertGetRequests(false) + return authenticationConverter +} +---- +====== + +If you must continue using `Saml2AuthenticationTokenConverter` or `OpenSaml5AuthenticationTokenConverter` to process GET requests, you can call `setShouldConvertGetRequests` to `true.`