1
0
mirror of synced 2026-07-08 20:30:04 +00:00

Compare commits

..

25 Commits

Author SHA1 Message Date
Marcus Da Coregio fa0e06ebdc Release 5.6.3 2022-04-18 11:59:42 -03:00
Marcus Da Coregio 6724627b50 Update spring-ldap-core to 2.3.7.RELEASE
Closes gh-11127
2022-04-18 11:45:27 -03:00
Marcus Da Coregio 4aab7b06a9 Update org.springframework.data to 2021.1.3
Closes gh-11126
2022-04-18 11:45:24 -03:00
Marcus Da Coregio d0d4d58c48 Update org.springframework to 5.3.19
Closes gh-11125
2022-04-18 11:45:22 -03:00
Marcus Da Coregio 29be60d035 Update hibernate-entitymanager to 5.6.8.Final
Closes gh-11124
2022-04-18 11:45:19 -03:00
Marcus Da Coregio 5024103b07 Update org.eclipse.jetty to 9.4.46.v20220331
Closes gh-11123
2022-04-18 11:45:17 -03:00
Marcus Da Coregio d0327807a7 Update org.aspectj to 1.9.9.1
Closes gh-11122
2022-04-18 11:45:14 -03:00
Marcus Da Coregio f880f1ba26 Update io.rsocket to 1.1.2
Closes gh-11121
2022-04-18 11:45:12 -03:00
Marcus Da Coregio 71dafc0c06 Update io.projectreactor to 2020.0.18
Closes gh-11119
2022-04-18 11:45:07 -03:00
Marcus Da Coregio 7d9357b871 Update mockk to 1.12.3
Closes gh-11118
2022-04-18 11:45:05 -03:00
Marcus Da Coregio 0b02bbecd1 Update jackson-bom to 2.13.2.20220328
Closes gh-11115
2022-04-18 11:44:57 -03:00
Marcus Da Coregio 932a5cc8b4 Update logback-classic to 1.2.11
Closes gh-11114
2022-04-18 11:44:55 -03:00
Simone Giannino e4a321511a Update saganCreateRelease property referenceDocUrl
- Updated saganCreateRelease task with the new referenceDocUrl for reference documentation

Closes gh-11016
2022-04-01 13:08:18 -03:00
Johannes Graf 4ee5800ec9 use okta as registration id
looks like `ping` is some registration id used in the past.

Closes gh-11034
2022-03-30 14:41:03 -06:00
Marcus Da Coregio c67632225d Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator
Closes gh-10908
2022-03-28 10:13:40 -03:00
Rob Winch 6e45a376cd Remove "Hi ... there" From Docs
Close gh-10963
2022-03-11 13:42:38 -06:00
Marcus Da Coregio 70b67cd2f1 AuthorizationManagerWebInvocationPrivilegeEvaluator grant access when AuthorizationManager abstains
Closes gh-10950
2022-03-09 15:22:21 -03:00
Josh Cummings 304e89041c Polish Formatting
Issue gh-10799
2022-03-02 16:40:13 -07:00
Sander van Schouwenburg f1a76efc2d Preserve order of RelyingPartRegistration credentials
Issue gh-10799
2022-03-02 16:40:13 -07:00
Josh Cummings 963251314b Replace Apache Commons Base64 Decoding
Issue gh-10923
2022-03-02 16:40:11 -07:00
Josh Cummings ee061f3659 Use RFC2045 Encoding for SAML 2.0 Logout
Closes gh-10923
2022-03-02 16:39:31 -07:00
Talerngpong Virojwutikul 440ffce2eb Update PasswordEncoder declaration
Closes gh-10910
2022-03-01 07:50:55 -07:00
Filip Hanik 47871562ca Change HashSet to LinkedHashSet
For various RelyingPartyRegistration.credentials to preserve order of insertion.

Issue gh-10799
2022-02-28 15:02:03 -07:00
Josh Cummings f0c548cee7 Invert Log Messages
Closes gh-10909
2022-02-28 13:17:01 -07:00
Marcus Da Coregio 1a32b399e6 Next development version 2022-02-21 10:49:06 -03:00
24 changed files with 259 additions and 61 deletions
+1 -1
View File
@@ -35,7 +35,7 @@ repositories {
}
tasks.named("saganCreateRelease") {
referenceDocUrl = "https://docs.spring.io/spring-security/site/docs/{version}/reference/html5/"
referenceDocUrl = "https://docs.spring.io/spring-security/reference/{version}/index.html"
apiDocUrl = "https://docs.spring.io/spring-security/site/docs/{version}/api/"
}
+1 -1
View File
@@ -80,7 +80,7 @@ dependencies {
implementation localGroovy()
implementation 'io.github.gradle-nexus:publish-plugin:1.1.0'
implementation 'io.projectreactor:reactor-core:3.4.15'
implementation 'io.projectreactor:reactor-core:3.4.17'
implementation 'gradle.plugin.org.gretty:gretty:3.0.1'
implementation 'com.apollographql.apollo:apollo-runtime:2.4.5'
implementation 'com.github.ben-manes:gradle-versions-plugin:0.38.0'
@@ -58,7 +58,7 @@ public class SaganApiTests {
Release release = new Release();
release.setVersion("5.6.0-SNAPSHOT");
release.setApiDocUrl("https://docs.spring.io/spring-security/site/docs/{version}/api/");
release.setReferenceDocUrl("https://docs.spring.io/spring-security/site/docs/{version}/reference/html5/");
release.setReferenceDocUrl("https://docs.spring.io/spring-security/reference/{version}/index.html");
this.sagan.createReleaseForProject(release, "spring-security");
RecordedRequest request = this.server.takeRequest(1, TimeUnit.SECONDS);
assertThat(request.getRequestUrl().toString()).isEqualTo(this.baseUrl + "/projects/spring-security/releases");
@@ -67,7 +67,7 @@ public class SaganApiTests {
assertThat(request.getBody().readString(Charset.defaultCharset())).isEqualToIgnoringWhitespace("{\n" +
" \"version\":\"5.6.0-SNAPSHOT\",\n" +
" \"current\":false,\n" +
" \"referenceDocUrl\":\"https://docs.spring.io/spring-security/site/docs/{version}/reference/html5/\",\n" +
" \"referenceDocUrl\":\"https://docs.spring.io/spring-security/reference/{version}/index.html\",\n" +
" \"apiDocUrl\":\"https://docs.spring.io/spring-security/site/docs/{version}/api/\"\n" +
"}");
}
@@ -253,7 +253,7 @@ public class Saml2LoginConfigurerTests {
public void authenticateWithInvalidDeflatedSAMLResponseThenFailureHandlerUses() throws Exception {
this.spring.register(CustomAuthenticationFailureHandler.class).autowire();
byte[] invalidDeflated = "invalid".getBytes();
String encoded = Saml2Utils.samlEncode(invalidDeflated);
String encoded = Saml2Utils.samlEncodeNotRfc2045(invalidDeflated);
MockHttpServletRequestBuilder request = get("/login/saml2/sso/registration-id").queryParam("SAMLResponse",
encoded);
this.mvc.perform(request);
+10 -10
View File
@@ -8,15 +8,15 @@ javaPlatform {
dependencies {
api platform("org.springframework:spring-framework-bom:$springFrameworkVersion")
api platform("io.projectreactor:reactor-bom:2020.0.16")
api platform("io.rsocket:rsocket-bom:1.1.1")
api platform("io.projectreactor:reactor-bom:2020.0.18")
api platform("io.rsocket:rsocket-bom:1.1.2")
api platform("org.junit:junit-bom:5.8.2")
api platform("org.springframework.data:spring-data-bom:2021.1.2")
api platform("org.springframework.data:spring-data-bom:2021.1.3")
api platform("org.jetbrains.kotlin:kotlin-bom:$kotlinVersion")
api platform("org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.5.2")
api platform("com.fasterxml.jackson:jackson-bom:2.13.1")
api platform("com.fasterxml.jackson:jackson-bom:2.13.2.20220328")
constraints {
api "ch.qos.logback:logback-classic:1.2.10"
api "ch.qos.logback:logback-classic:1.2.11"
api "com.google.inject:guice:3.0"
api "com.nimbusds:nimbus-jose-jwt:9.14"
api "com.nimbusds:oauth2-oidc-sdk:9.19"
@@ -25,7 +25,7 @@ dependencies {
api "com.unboundid:unboundid-ldapsdk:4.0.14"
api "commons-codec:commons-codec:1.15"
api "commons-collections:commons-collections:3.2.2"
api "io.mockk:mockk:1.12.2"
api "io.mockk:mockk:1.12.3"
api "io.projectreactor.tools:blockhound:1.0.6.RELEASE"
api "jakarta.inject:jakarta.inject-api:1.0.5"
api "jakarta.annotation:jakarta.annotation-api:1.3.5"
@@ -50,11 +50,11 @@ dependencies {
api "org.assertj:assertj-core:3.21.0"
api "org.bouncycastle:bcpkix-jdk15on:1.69"
api "org.bouncycastle:bcprov-jdk15on:1.69"
api "org.eclipse.jetty:jetty-server:9.4.45.v20220203"
api "org.eclipse.jetty:jetty-servlet:9.4.45.v20220203"
api "org.eclipse.jetty:jetty-server:9.4.46.v20220331"
api "org.eclipse.jetty:jetty-servlet:9.4.46.v20220331"
api "org.eclipse.persistence:javax.persistence:2.2.1"
api "org.hamcrest:hamcrest:2.2"
api "org.hibernate:hibernate-entitymanager:5.6.5.Final"
api "org.hibernate:hibernate-entitymanager:5.6.8.Final"
api "org.hsqldb:hsqldb:2.6.1"
api "org.jasig.cas.client:cas-client-core:3.6.4"
api "org.mockito:mockito-core:3.12.4"
@@ -71,7 +71,7 @@ dependencies {
api "org.skyscreamer:jsonassert:1.5.0"
api "org.slf4j:log4j-over-slf4j:1.7.36"
api "org.slf4j:slf4j-api:1.7.36"
api "org.springframework.ldap:spring-ldap-core:2.3.6.RELEASE"
api "org.springframework.ldap:spring-ldap-core:2.3.7.RELEASE"
api "org.synchronoss.cloud:nio-multipart-parser:1.1.0"
}
}
+1 -1
View File
@@ -1,2 +1,2 @@
name: ROOT
version: '5.6.2'
version: '5.6.3'
@@ -198,10 +198,13 @@ The password package of the spring-security-crypto module provides support for e
[source,java]
----
public interface PasswordEncoder {
String encode(CharSequence rawPassword);
String encode(String rawPassword);
boolean matches(CharSequence rawPassword, String encodedPassword);
boolean matches(String rawPassword, String encodedPassword);
default boolean upgradeEncoding(String encodedPassword) {
return false;
}
}
----
@@ -19,8 +19,6 @@ This also gives a good idea of the high level flow of authentication and how pie
[[servlet-authentication-securitycontextholder]]
== SecurityContextHolder
Hi {figures} there
At the heart of Spring Security's authentication model is the `SecurityContextHolder`.
It contains the <<servlet-authentication-securitycontext>>.
@@ -8,7 +8,7 @@ This filter by default responds to endpoint `+/saml2/authenticate/{registrationI
For example, if you were deployed to `https://rp.example.com` and you gave your registration an ID of `okta`, you could navigate to:
`https://rp.example.org/saml2/authenticate/ping`
`https://rp.example.org/saml2/authenticate/okta`
and the result would be a redirect that included a `SAMLRequest` parameter containing the signed, deflated, and encoded `<saml2:AuthnRequest>`.
+3 -3
View File
@@ -1,9 +1,9 @@
aspectjVersion=1.9.8
aspectjVersion=1.9.9.1
springJavaformatVersion=0.0.31
springBootVersion=2.4.2
springFrameworkVersion=5.3.16
springFrameworkVersion=5.3.19
openSamlVersion=3.4.6
version=5.6.2
version=5.6.3
kotlinVersion=1.5.32
samplesBranch=5.6.x
org.gradle.jvmargs=-Xmx3g -XX:MaxPermSize=2048m -XX:+HeapDumpOnOutOfMemoryError
@@ -19,13 +19,12 @@ package org.springframework.security.saml2.provider.service.authentication;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import java.util.zip.Inflater;
import java.util.zip.InflaterOutputStream;
import org.apache.commons.codec.binary.Base64;
import org.springframework.security.saml2.Saml2Exception;
/**
@@ -33,17 +32,15 @@ import org.springframework.security.saml2.Saml2Exception;
*/
final class Saml2Utils {
private static Base64 BASE64 = new Base64(0, new byte[] { '\n' });
private Saml2Utils() {
}
static String samlEncode(byte[] b) {
return BASE64.encodeAsString(b);
return Base64.getMimeEncoder().encodeToString(b);
}
static byte[] samlDecode(String s) {
return BASE64.decode(s);
return Base64.getMimeDecoder().decode(s);
}
static byte[] samlDeflate(String s) {
@@ -40,11 +40,11 @@ final class Saml2Utils {
}
static String samlEncode(byte[] b) {
return Base64.getEncoder().encodeToString(b);
return Base64.getMimeEncoder().encodeToString(b);
}
static byte[] samlDecode(String s) {
return Base64.getDecoder().decode(s);
return Base64.getMimeDecoder().decode(s);
}
static byte[] samlDeflate(String s) {
@@ -21,7 +21,7 @@ import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
@@ -451,7 +451,7 @@ public final class RelyingPartyRegistration {
org.springframework.security.saml2.credentials.Saml2X509Credential credential) {
PrivateKey privateKey = credential.getPrivateKey();
X509Certificate certificate = credential.getCertificate();
Set<Saml2X509Credential.Saml2X509CredentialType> credentialTypes = new HashSet<>();
Set<Saml2X509Credential.Saml2X509CredentialType> credentialTypes = new LinkedHashSet<>();
if (credential.isSigningCredential()) {
credentialTypes.add(Saml2X509Credential.Saml2X509CredentialType.SIGNING);
}
@@ -471,7 +471,7 @@ public final class RelyingPartyRegistration {
Saml2X509Credential credential) {
PrivateKey privateKey = credential.getPrivateKey();
X509Certificate certificate = credential.getCertificate();
Set<org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType> credentialTypes = new HashSet<>();
Set<org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType> credentialTypes = new LinkedHashSet<>();
if (credential.isSigningCredential()) {
credentialTypes.add(
org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType.SIGNING);
@@ -696,9 +696,9 @@ public final class RelyingPartyRegistration {
private List<String> signingAlgorithms = new ArrayList<>();
private Collection<Saml2X509Credential> verificationX509Credentials = new HashSet<>();
private Collection<Saml2X509Credential> verificationX509Credentials = new LinkedHashSet<>();
private Collection<Saml2X509Credential> encryptionX509Credentials = new HashSet<>();
private Collection<Saml2X509Credential> encryptionX509Credentials = new LinkedHashSet<>();
private String singleSignOnServiceLocation;
@@ -1006,9 +1006,9 @@ public final class RelyingPartyRegistration {
private String entityId = "{baseUrl}/saml2/service-provider-metadata/{registrationId}";
private Collection<Saml2X509Credential> signingX509Credentials = new HashSet<>();
private Collection<Saml2X509Credential> signingX509Credentials = new LinkedHashSet<>();
private Collection<Saml2X509Credential> decryptionX509Credentials = new HashSet<>();
private Collection<Saml2X509Credential> decryptionX509Credentials = new LinkedHashSet<>();
private String assertionConsumerServiceLocation = "{baseUrl}/login/saml2/sso/{registrationId}";
@@ -1022,7 +1022,7 @@ public final class RelyingPartyRegistration {
private ProviderDetails.Builder providerDetails = new ProviderDetails.Builder();
private Collection<org.springframework.security.saml2.credentials.Saml2X509Credential> credentials = new HashSet<>();
private Collection<org.springframework.security.saml2.credentials.Saml2X509Credential> credentials = new LinkedHashSet<>();
private Builder(String registrationId) {
this.registrationId = registrationId;
@@ -40,11 +40,11 @@ final class Saml2Utils {
}
static String samlEncode(byte[] b) {
return Base64.getEncoder().encodeToString(b);
return Base64.getMimeEncoder().encodeToString(b);
}
static byte[] samlDecode(String s) {
return Base64.getDecoder().decode(s);
return Base64.getMimeDecoder().decode(s);
}
static byte[] samlDeflate(String s) {
@@ -19,28 +19,30 @@ package org.springframework.security.saml2.core;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import java.util.zip.Inflater;
import java.util.zip.InflaterOutputStream;
import org.apache.commons.codec.binary.Base64;
import org.springframework.security.saml2.Saml2Exception;
public final class Saml2Utils {
private static Base64 BASE64 = new Base64(0, new byte[] { '\n' });
private Saml2Utils() {
}
@Deprecated
public static String samlEncodeNotRfc2045(byte[] b) {
return Base64.getEncoder().encodeToString(b);
}
public static String samlEncode(byte[] b) {
return BASE64.encodeAsString(b);
return Base64.getMimeEncoder().encodeToString(b);
}
public static byte[] samlDecode(String s) {
return BASE64.decode(s);
return Base64.getMimeDecoder().decode(s);
}
public static byte[] samlDeflate(String s) {
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -51,6 +51,10 @@ public final class TestSaml2X509Credentials {
return new Saml2X509Credential(idpCertificate(), Saml2X509CredentialType.VERIFICATION);
}
public static Saml2X509Credential relyingPartyEncryptingCredential() {
return new Saml2X509Credential(idpCertificate(), Saml2X509CredentialType.ENCRYPTION);
}
public static Saml2X509Credential relyingPartySigningCredential() {
return new Saml2X509Credential(spPrivateKey(), spCertificate(), Saml2X509CredentialType.SIGNING);
}
@@ -59,6 +63,16 @@ public final class TestSaml2X509Credentials {
return new Saml2X509Credential(spPrivateKey(), spCertificate(), Saml2X509CredentialType.DECRYPTION);
}
public static Saml2X509Credential altPublicCredential() {
return new Saml2X509Credential(altCertificate(), Saml2X509CredentialType.VERIFICATION,
Saml2X509CredentialType.ENCRYPTION);
}
public static Saml2X509Credential altPrivateCredential() {
return new Saml2X509Credential(altPrivateKey(), altCertificate(), Saml2X509CredentialType.SIGNING,
Saml2X509CredentialType.DECRYPTION);
}
private static X509Certificate certificate(String cert) {
ByteArrayInputStream certBytes = new ByteArrayInputStream(cert.getBytes());
try {
@@ -170,4 +184,40 @@ public final class TestSaml2X509Credentials {
+ "-----END PRIVATE KEY-----");
}
private static X509Certificate altCertificate() {
return certificate(
"-----BEGIN CERTIFICATE-----\n" + "MIICkDCCAfkCFEstVfmWSFQp/j88GaMUwqVK72adMA0GCSqGSIb3DQEBCwUAMIGG\n"
+ "MQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjESMBAGA1UEBwwJVmFu\n"
+ "Y291dmVyMR0wGwYDVQQKDBRTcHJpbmcgU2VjdXJpdHkgU0FNTDEMMAoGA1UECwwD\n"
+ "YWx0MSEwHwYDVQQDDBhhbHQuc3ByaW5nLnNlY3VyaXR5LnNhbWwwHhcNMjIwMjEw\n"
+ "MTY1ODA4WhcNMzIwMjEwMTY1ODA4WjCBhjELMAkGA1UEBhMCVVMxEzARBgNVBAgM\n"
+ "Cldhc2hpbmd0b24xEjAQBgNVBAcMCVZhbmNvdXZlcjEdMBsGA1UECgwUU3ByaW5n\n"
+ "IFNlY3VyaXR5IFNBTUwxDDAKBgNVBAsMA2FsdDEhMB8GA1UEAwwYYWx0LnNwcmlu\n"
+ "Zy5zZWN1cml0eS5zYW1sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9ZGWj\n"
+ "TPDsymQCJL044py4xLsBI/S9RvzNeR9oD/tHyoxCE+YZzjf0PyBtwqKzkKWqCPf4\n"
+ "XGUYHfEpkM5kJYwCW8TsOx5fnwLIQweiPqjYrBr/O0IjHMqYG9HlR/ros7iBt4ab\n"
+ "EGUu/B9yYg1YRYPxKQ6TNP3AD+9tBT8TsFFyjwIDAQABMA0GCSqGSIb3DQEBCwUA\n"
+ "A4GBAKJf2VHLjkCHRxlbWn63jGiquq3ENYgd1JS0DZ3ggFmuc6zQiqxzRGtArIDZ\n"
+ "0jH5nrG0jcvO0fqDqBQh0iT8thfUnkViAQvACZ9a+0x0NzUicJ+Ra51c8Z2enqbg\n"
+ "pXy+ga67HcAXrDekm1MCGCgiEb/Cgl41lsideqhC8Efl7PRN\n" + "-----END CERTIFICATE-----");
}
private static PrivateKey altPrivateKey() {
return privateKey(
"-----BEGIN PRIVATE KEY-----\n" + "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAL1kZaNM8OzKZAIk\n"
+ "vTjinLjEuwEj9L1G/M15H2gP+0fKjEIT5hnON/Q/IG3CorOQpaoI9/hcZRgd8SmQ\n"
+ "zmQljAJbxOw7Hl+fAshDB6I+qNisGv87QiMcypgb0eVH+uizuIG3hpsQZS78H3Ji\n"
+ "DVhFg/EpDpM0/cAP720FPxOwUXKPAgMBAAECgYEApYKslAZ0cer5dSoYNzNLFOnQ\n"
+ "J1H92r/Dw+k6+h0lUvr+keyD5T9jhM76DxHOUDBzpmIKGoDcVDQugk2rILfzXsQA\n"
+ "JtwvDRJk32Z02Vt0jb7t/WUOOQhjKCjQuv9/tOx90GCl0VxYG69UOjaMRWrlg/i9\n"
+ "6/zcTRIahIn5XxF0psECQQD7ivJCpDbOLJGsc8gNJR4cvjZ1q0mHIOrbKqJC0y1n\n"
+ "5DrzGEflPeyCUwnOKNp9HJQP8gmZzXfj0JM9KsjpiUChAkEAwL+FmhDoTiqStIrH\n"
+ "h9Kdnsev//imMmRHxjwDhntYvqavUsISRmY3imd8inoYq5dzWQMzBtoTyMRmqeLT\n"
+ "DHV1LwJAW4xaV37Eo4z9B7Kr4Hzd1MA1ueW5QQDt+Q4vN/r7z4/1FHyFzh0Xcucd\n"
+ "7nZX7qj0CkmgzOVG+Rb0P5LOxJA7gQJBAK1KQ2qNct375qPM9bEGSVGchH6k5X7+\n"
+ "q4ztHdpFgTb/EzdbZiTG935GpjC1rwJuinTnrHOnkwv4j7iDRm24GF8CQQDqPvrQ\n"
+ "GcItR6UUy0q/B8UxLzlE6t+HiznfiJKfyGgCHU56Y4/ZhzSQz2MZHz9SK4DsUL9s\n" + "bOYrWq8VY2fyjV1t\n"
+ "-----END PRIVATE KEY-----");
}
}
@@ -129,6 +129,23 @@ public class OpenSamlLogoutRequestValidatorTests {
assertThat(result.getErrors().iterator().next().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_DESTINATION);
}
// gh-10923
@Test
public void handleWhenLogoutResponseHasLineBreaksThenHandles() {
RelyingPartyRegistration registration = registration().build();
LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
sign(logoutRequest, registration);
String encoded = new StringBuffer(
Saml2Utils.samlEncode(serialize(logoutRequest).getBytes(StandardCharsets.UTF_8))).insert(10, "\r\n")
.toString();
Saml2LogoutRequest request = Saml2LogoutRequest.withRelyingPartyRegistration(registration).samlRequest(encoded)
.build();
Saml2LogoutRequestValidatorParameters parameters = new Saml2LogoutRequestValidatorParameters(request,
registration, authentication(registration));
Saml2LogoutValidatorResult result = this.manager.validate(parameters);
assertThat(result.hasErrors()).isFalse();
}
private RelyingPartyRegistration.Builder registration() {
return signing(verifying(TestRelyingPartyRegistrations.noCredentials()))
.assertingPartyDetails((party) -> party.singleLogoutServiceBinding(Saml2MessageBinding.POST));
@@ -119,6 +119,24 @@ public class OpenSamlLogoutResponseValidatorTests {
assertThat(result.getErrors().iterator().next().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_RESPONSE);
}
// gh-10923
@Test
public void handleWhenLogoutResponseHasLineBreaksThenHandles() {
RelyingPartyRegistration registration = signing(verifying(registration())).build();
Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration).id("id")
.build();
LogoutResponse logoutResponse = TestOpenSamlObjects.assertingPartyLogoutResponse(registration);
sign(logoutResponse, registration);
String encoded = new StringBuilder(
Saml2Utils.samlEncode(serialize(logoutResponse).getBytes(StandardCharsets.UTF_8))).insert(10, "\r\n")
.toString();
Saml2LogoutResponse response = Saml2LogoutResponse.withRelyingPartyRegistration(registration)
.samlResponse(encoded).build();
Saml2LogoutResponseValidatorParameters parameters = new Saml2LogoutResponseValidatorParameters(response,
logoutRequest, registration);
this.manager.validate(parameters);
}
private RelyingPartyRegistration.Builder registration() {
return signing(verifying(TestRelyingPartyRegistrations.noCredentials()))
.assertingPartyDetails((party) -> party.singleLogoutServiceBinding(Saml2MessageBinding.POST));
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -18,7 +18,8 @@ package org.springframework.security.saml2.provider.service.registration;
import org.junit.jupiter.api.Test;
import org.springframework.security.saml2.credentials.TestSaml2X509Credentials;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.core.TestSaml2X509Credentials;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
import static org.assertj.core.api.Assertions.assertThat;
@@ -81,9 +82,68 @@ public class RelyingPartyRegistrationTests {
RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistration.withRegistrationId("id")
.entityId("entity-id").assertionConsumerServiceLocation("location")
.assertingPartyDetails((assertingParty) -> assertingParty.entityId("entity-id")
.singleSignOnServiceLocation("location"))
.credentials((c) -> c.add(TestSaml2X509Credentials.relyingPartyVerifyingCredential())).build();
.singleSignOnServiceLocation("location").verificationX509Credentials(
(c) -> c.add(TestSaml2X509Credentials.relyingPartyVerifyingCredential())))
.build();
assertThat(relyingPartyRegistration.getAssertionConsumerServiceBinding()).isEqualTo(Saml2MessageBinding.POST);
}
@Test
public void buildPreservesCredentialsOrder() {
Saml2X509Credential altRpCredential = TestSaml2X509Credentials.altPrivateCredential();
Saml2X509Credential altApCredential = TestSaml2X509Credentials.altPublicCredential();
Saml2X509Credential verifyingCredential = TestSaml2X509Credentials.relyingPartyVerifyingCredential();
Saml2X509Credential encryptingCredential = TestSaml2X509Credentials.relyingPartyEncryptingCredential();
Saml2X509Credential signingCredential = TestSaml2X509Credentials.relyingPartySigningCredential();
Saml2X509Credential decryptionCredential = TestSaml2X509Credentials.relyingPartyDecryptingCredential();
// Test with the alt credentials first
RelyingPartyRegistration relyingPartyRegistration = TestRelyingPartyRegistrations.noCredentials()
.assertingPartyDetails((assertingParty) -> assertingParty.verificationX509Credentials((c) -> {
c.add(altApCredential);
c.add(verifyingCredential);
}).encryptionX509Credentials((c) -> {
c.add(altApCredential);
c.add(encryptingCredential);
})).signingX509Credentials((c) -> {
c.add(altRpCredential);
c.add(signingCredential);
}).decryptionX509Credentials((c) -> {
c.add(altRpCredential);
c.add(decryptionCredential);
}).build();
assertThat(relyingPartyRegistration.getSigningX509Credentials()).containsExactly(altRpCredential,
signingCredential);
assertThat(relyingPartyRegistration.getDecryptionX509Credentials()).containsExactly(altRpCredential,
decryptionCredential);
assertThat(relyingPartyRegistration.getAssertingPartyDetails().getVerificationX509Credentials())
.containsExactly(altApCredential, verifyingCredential);
assertThat(relyingPartyRegistration.getAssertingPartyDetails().getEncryptionX509Credentials())
.containsExactly(altApCredential, encryptingCredential);
// Test with the alt credentials last
relyingPartyRegistration = TestRelyingPartyRegistrations.noCredentials()
.assertingPartyDetails((assertingParty) -> assertingParty.verificationX509Credentials((c) -> {
c.add(verifyingCredential);
c.add(altApCredential);
}).encryptionX509Credentials((c) -> {
c.add(encryptingCredential);
c.add(altApCredential);
})).signingX509Credentials((c) -> {
c.add(signingCredential);
c.add(altRpCredential);
}).decryptionX509Credentials((c) -> {
c.add(decryptionCredential);
c.add(altRpCredential);
}).build();
assertThat(relyingPartyRegistration.getSigningX509Credentials()).containsExactly(signingCredential,
altRpCredential);
assertThat(relyingPartyRegistration.getDecryptionX509Credentials()).containsExactly(decryptionCredential,
altRpCredential);
assertThat(relyingPartyRegistration.getAssertingPartyDetails().getVerificationX509Credentials())
.containsExactly(verifyingCredential, altApCredential);
assertThat(relyingPartyRegistration.getAssertingPartyDetails().getEncryptionX509Credentials())
.containsExactly(encryptingCredential, altApCredential);
}
}
@@ -64,7 +64,7 @@ public class Saml2AuthenticationTokenConverterTests {
.willReturn(this.relyingPartyRegistration);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setParameter(Saml2ParameterNames.SAML_RESPONSE,
Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
Saml2Utils.samlEncodeNotRfc2045("response".getBytes(StandardCharsets.UTF_8)));
Saml2AuthenticationToken token = converter.convert(request);
assertThat(token.getSaml2Response()).isEqualTo("response");
assertThat(token.getRelyingPartyRegistration().getRegistrationId())
@@ -115,7 +115,7 @@ public class Saml2AuthenticationTokenConverterTests {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setMethod("GET");
byte[] deflated = Saml2Utils.samlDeflate("response");
String encoded = Saml2Utils.samlEncode(deflated);
String encoded = Saml2Utils.samlEncodeNotRfc2045(deflated);
request.setParameter(Saml2ParameterNames.SAML_RESPONSE, encoded);
Saml2AuthenticationToken token = converter.convert(request);
assertThat(token.getSaml2Response()).isEqualTo("response");
@@ -98,6 +98,29 @@ public class OpenSamlLogoutResponseResolverTests {
assertThat(logoutResponse.getStatus().getStatusCode().getValue()).isEqualTo(StatusCode.SUCCESS);
}
// gh-10923
@Test
public void resolvePostWithLineBreaksWhenAuthenticatedThenSuccess() {
RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full()
.assertingPartyDetails((party) -> party.singleLogoutServiceBinding(Saml2MessageBinding.POST)).build();
MockHttpServletRequest request = new MockHttpServletRequest();
LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
String encoded = new StringBuffer(
Saml2Utils.samlEncode(OpenSamlSigningUtils.serialize(logoutRequest).getBytes())).insert(10, "\r\n")
.toString();
request.setParameter(Saml2ParameterNames.SAML_REQUEST, encoded);
request.setParameter(Saml2ParameterNames.RELAY_STATE, "abcd");
Authentication authentication = authentication(registration);
given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
Saml2LogoutResponse saml2LogoutResponse = this.logoutResponseResolver.resolve(request, authentication);
assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIG_ALG)).isNull();
assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIGNATURE)).isNull();
assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.RELAY_STATE)).isSameAs("abcd");
Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleLogoutServiceBinding();
LogoutResponse logoutResponse = getLogoutResponse(saml2LogoutResponse.getSamlResponse(), binding);
assertThat(logoutResponse.getStatus().getStatusCode().getValue()).isEqualTo(StatusCode.SUCCESS);
}
private Saml2Authentication authentication(RelyingPartyRegistration registration) {
DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal("user", new HashMap<>());
principal.setRelyingPartyRegistrationId(registration.getRegistrationId());
@@ -48,7 +48,7 @@ public final class DefaultSecurityFilterChain implements SecurityFilterChain {
}
public DefaultSecurityFilterChain(RequestMatcher requestMatcher, List<Filter> filters) {
if (!filters.isEmpty()) {
if (filters.isEmpty()) {
logger.info(LogMessage.format("Will not secure %s", requestMatcher));
}
else {
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
package org.springframework.security.web.access;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import org.springframework.security.authorization.AuthorizationDecision;
@@ -23,6 +24,7 @@ import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.util.Assert;
import org.springframework.web.context.ServletContextAware;
/**
* An implementation of {@link WebInvocationPrivilegeEvaluator} which delegates the checks
@@ -31,10 +33,13 @@ import org.springframework.util.Assert;
* @author Marcus Da Coregio
* @since 5.5.5
*/
public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implements WebInvocationPrivilegeEvaluator {
public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
implements WebInvocationPrivilegeEvaluator, ServletContextAware {
private final AuthorizationManager<HttpServletRequest> authorizationManager;
private ServletContext servletContext;
public AuthorizationManagerWebInvocationPrivilegeEvaluator(
AuthorizationManager<HttpServletRequest> authorizationManager) {
Assert.notNull(authorizationManager, "authorizationManager cannot be null");
@@ -48,10 +53,15 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implement
@Override
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
filterInvocation.getHttpRequest());
return decision != null && decision.isGranted();
return decision == null || decision.isGranted();
}
@Override
public void setServletContext(ServletContext servletContext) {
this.servletContext = servletContext;
}
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,14 +16,17 @@
package org.springframework.security.web.access;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.ArgumentCaptor;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.mock.web.MockServletContext;
import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
@@ -65,4 +68,21 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
assertThat(allowed).isFalse();
}
@Test
void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() {
given(this.authorizationManager.check(any(), any())).willReturn(null);
boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
assertThat(allowed).isTrue();
}
@Test
void isAllowedWhenServletContextExistsThenFilterInvocationHasServletContext() {
ServletContext servletContext = new MockServletContext();
this.privilegeEvaluator.setServletContext(servletContext);
this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
ArgumentCaptor<HttpServletRequest> captor = ArgumentCaptor.forClass(HttpServletRequest.class);
verify(this.authorizationManager).check(any(), captor.capture());
assertThat(captor.getValue().getServletContext()).isSameAs(servletContext);
}
}