Compare commits
51 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| ae1537b409 | |||
| 49cddee343 | |||
| 1c56c0c0c8 | |||
| d79cf75dfb | |||
| e34c5e73e1 | |||
| 46254e01fb | |||
| effe682fc4 | |||
| 7f36155b47 | |||
| 888d87619d | |||
| e8028e15c0 | |||
| 482eb0e2cd | |||
| b0f8aa5ea0 | |||
| f75ac6c837 | |||
| 5e56fc13be | |||
| c0568ea9b0 | |||
| 4048b2bd7d | |||
| 86acba9d22 | |||
| a4cd6f4278 | |||
| 5da31ab8a8 | |||
| cae3467a8d | |||
| a17b2a18d9 | |||
| 0cbc38cdd6 | |||
| eb30fd7f59 | |||
| 260d298cc5 | |||
| 78a60d0d84 | |||
| a001f27690 | |||
| 27319e3f9b | |||
| ec462e8bc5 | |||
| a4111a606b | |||
| 505fe3abed | |||
| 9710492619 | |||
| 9436796973 | |||
| 51239359ed | |||
| e48f26e51e | |||
| 3b7e3a6c5c | |||
| a04025c114 | |||
| 1564076276 | |||
| ae09f36291 | |||
| bcef6ed74f | |||
| c8581683da | |||
| f631a0fcd5 | |||
| 0e84f31a00 | |||
| 9c76ab69f0 | |||
| 5354e4d2c5 | |||
| db48d4ca50 | |||
| 547d174f3e | |||
| d2d1275b39 | |||
| 7bf776ec38 | |||
| e47a6714a5 | |||
| b9cae82b89 | |||
| f6354250a1 |
@@ -1,41 +0,0 @@
|
||||
version: 2
|
||||
|
||||
registries:
|
||||
spring-milestones:
|
||||
type: maven-repository
|
||||
url: https://repo.spring.io/milestone
|
||||
|
||||
updates:
|
||||
|
||||
- package-ecosystem: "gradle"
|
||||
target-branch: "main"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
time: "03:00"
|
||||
timezone: "Etc/UTC"
|
||||
labels: [ "type: dependency-upgrade" ]
|
||||
registries:
|
||||
- "spring-milestones"
|
||||
ignore:
|
||||
- dependency-name: "com.nimbusds:nimbus-jose-jwt" # nimbus-jose-jwt gets updated when oauth2-oidc-sdk is updated to ensure consistency
|
||||
- dependency-name: "org.python:jython" # jython updates break integration tests
|
||||
- dependency-name: "org.apache.directory.server:*" # ApacheDS version > 1.5.5 contains break changes
|
||||
- dependency-name: "org.junit:junit-bom"
|
||||
update-types: [ "version-update:semver-major" ]
|
||||
- dependency-name: "org.mockito:mockito-bom"
|
||||
update-types: [ "version-update:semver-major" ]
|
||||
- dependency-name: "*"
|
||||
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
|
||||
|
||||
# GitHub Actions
|
||||
|
||||
- package-ecosystem: github-actions
|
||||
target-branch: "main"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: weekly
|
||||
ignore:
|
||||
- dependency-name: "sjohnr/*"
|
||||
- dependency-name: "spring-io/*"
|
||||
- dependency-name: "spring-security-release-tools/*"
|
||||
@@ -0,0 +1,17 @@
|
||||
name: "CodeQL Advanced"
|
||||
|
||||
on:
|
||||
push:
|
||||
pull_request:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
# https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#schedule
|
||||
- cron: '0 5 * * *'
|
||||
permissions: read-all
|
||||
jobs:
|
||||
codeql-analysis-call:
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
uses: spring-io/github-actions/.github/workflows/codeql-analysis.yml@1
|
||||
@@ -1,57 +0,0 @@
|
||||
name: Auto Merge Forward Dependabot Commits
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
concurrency:
|
||||
group: dependabot-auto-merge-forward
|
||||
|
||||
jobs:
|
||||
get-supported-branches:
|
||||
uses: spring-io/spring-security-release-tools/.github/workflows/retrieve-spring-supported-versions.yml@actions-v1
|
||||
with:
|
||||
project: spring-security
|
||||
type: oss
|
||||
repository_name: spring-projects/spring-security
|
||||
|
||||
auto-merge-forward-dependabot:
|
||||
name: Auto Merge Forward Dependabot Commits
|
||||
runs-on: ubuntu-latest
|
||||
needs: [get-supported-branches]
|
||||
permissions:
|
||||
contents: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
|
||||
- name: Setup GitHub User
|
||||
id: setup-gh-user
|
||||
run: |
|
||||
git config user.name 'github-actions[bot]'
|
||||
git config user.email 'github-actions[bot]@users.noreply.github.com'
|
||||
- name: Run Auto Merge Forward
|
||||
id: run-auto-merge-forward
|
||||
uses: spring-io/spring-security-release-tools/.github/actions/auto-merge-forward@actions-v1
|
||||
with:
|
||||
branches: ${{ needs.get-supported-branches.outputs.supported_versions }},main
|
||||
from-author: dependabot[bot]
|
||||
notify_result:
|
||||
name: Check for failures
|
||||
needs: [ auto-merge-forward-dependabot ]
|
||||
if: failure()
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
steps:
|
||||
- name: Send Slack message
|
||||
uses: Gamesight/slack-workflow-status@v1.3.0
|
||||
with:
|
||||
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
|
||||
channel: '#spring-security-ci'
|
||||
name: 'CI Notifier'
|
||||
@@ -4,7 +4,8 @@ on:
|
||||
schedule:
|
||||
- cron: '0 2 * * *' # 2am UTC
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
pull-requests: write
|
||||
jobs:
|
||||
upgrade_wrapper:
|
||||
name: Execution
|
||||
|
||||
@@ -1,45 +0,0 @@
|
||||
name: Mark Duplicate Dependabot PRs
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
types: [closed]
|
||||
|
||||
jobs:
|
||||
check_duplicate_prs:
|
||||
runs-on: ubuntu-latest
|
||||
if: github.event.pull_request.merged == true && github.event.pull_request.user.login == 'dependabot[bot]'
|
||||
steps:
|
||||
- name: Checkout Repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Extract Dependency Name from PR Title
|
||||
id: extract
|
||||
run: |
|
||||
PR_TITLE="${{ github.event.pull_request.title }}"
|
||||
DEPENDENCY_NAME=$(echo "$PR_TITLE" | awk -F ' from ' '{print $1}')
|
||||
echo "dependency_name=$DEPENDENCY_NAME" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Find PRs
|
||||
id: find_duplicates
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
PRS=$(gh pr list --search 'milestone:${{ github.event.pull_request.milestone.title }} is:merged in:title "${{ steps.extract.outputs.dependency_name }}"' --json number --jq 'map(.number) | join(",")')
|
||||
echo "prs=$PRS" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Label Duplicate PRs
|
||||
if: steps.find_duplicates.outputs.prs != ''
|
||||
env:
|
||||
PRS: ${{ steps.find_duplicates.outputs.prs }}
|
||||
CURRENT_PR_NUMBER: ${{ github.event.pull_request.number }}
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
shell: bash
|
||||
run: |
|
||||
for i in ${PRS//,/ }
|
||||
do
|
||||
if [ ! $i -eq "$CURRENT_PR_NUMBER" ]; then
|
||||
echo "Marking PR $i as duplicate"
|
||||
gh pr edit "$i" --add-label "status: duplicate"
|
||||
gh pr comment "$i" --body "Duplicate of #$CURRENT_PR_NUMBER"
|
||||
fi
|
||||
done
|
||||
@@ -1,63 +0,0 @@
|
||||
name: Merge Dependabot PR
|
||||
|
||||
on: pull_request_target
|
||||
|
||||
run-name: Merge Dependabot PR ${{ github.ref_name }}
|
||||
|
||||
permissions: write-all
|
||||
|
||||
jobs:
|
||||
merge-dependabot-pr:
|
||||
name: Merge Dependabot PR
|
||||
runs-on: ubuntu-latest
|
||||
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'spring-projects/spring-security' }}
|
||||
steps:
|
||||
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
show-progress: false
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
|
||||
- uses: actions/setup-java@v4
|
||||
with:
|
||||
distribution: temurin
|
||||
java-version: 17
|
||||
|
||||
- name: Set Milestone to Dependabot Pull Request
|
||||
id: set-milestone
|
||||
run: |
|
||||
if test -f pom.xml
|
||||
then
|
||||
CURRENT_VERSION=$(mvn help:evaluate -Dexpression="project.version" -q -DforceStdout)
|
||||
else
|
||||
CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }')
|
||||
fi
|
||||
export CANDIDATE_VERSION=${CURRENT_VERSION/-SNAPSHOT}
|
||||
MILESTONE=$(gh api repos/$GITHUB_REPOSITORY/milestones --jq 'map(select(.due_on != null and (.title | startswith(env.CANDIDATE_VERSION)))) | .[0] | .title')
|
||||
|
||||
if [ -z $MILESTONE ]
|
||||
then
|
||||
gh run cancel ${{ github.run_id }}
|
||||
echo "::warning title=Cannot merge::No scheduled milestone for $CURRENT_VERSION version"
|
||||
else
|
||||
gh pr edit ${{ github.event.pull_request.number }} --milestone $MILESTONE
|
||||
echo mergeEnabled=true >> $GITHUB_OUTPUT
|
||||
fi
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Merge Dependabot pull request
|
||||
if: steps.set-milestone.outputs.mergeEnabled
|
||||
run: gh pr merge ${{ github.event.pull_request.number }} --auto --rebase
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
|
||||
send-notification:
|
||||
name: Send Notification
|
||||
needs: [ merge-dependabot-pr ]
|
||||
if: ${{ failure() || cancelled() }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Send Notification
|
||||
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
|
||||
with:
|
||||
webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}
|
||||
@@ -1,22 +0,0 @@
|
||||
name: Trigger Dependabot Auto Merge Forward
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- '*.x'
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
trigger-worflow:
|
||||
name: Trigger Workflow
|
||||
runs-on: ubuntu-latest
|
||||
if: ${{ github.event.commits[0].author.username == 'dependabot[bot]' && github.repository == 'spring-projects/spring-security' }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@v4
|
||||
- id: trigger
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
|
||||
run: gh workflow run dependabot-auto-merge-forward.yml -r main
|
||||
@@ -1,36 +0,0 @@
|
||||
name: Update dependabot.yml
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
|
||||
get-supported-branches:
|
||||
uses: spring-io/spring-security-release-tools/.github/workflows/retrieve-spring-supported-versions.yml@actions-v1
|
||||
with:
|
||||
project: spring-security
|
||||
type: oss
|
||||
repository_name: spring-projects/spring-security
|
||||
|
||||
main:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [get-supported-branches]
|
||||
if: ${{ (github.repository == 'spring-projects/spring-security') && (github.ref == 'refs/heads/main') }}
|
||||
permissions:
|
||||
contents: write
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 1
|
||||
- uses: spring-io/spring-security-release-tools/.github/actions/generate-dependabot-yml@actions-v1
|
||||
name: Update dependabot.yml
|
||||
with:
|
||||
gradle-branches: ${{ needs.get-supported-branches.outputs.supported_versions }},main
|
||||
github-actions-branches: ${{ needs.get-supported-branches.outputs.supported_versions }},main,docs-build
|
||||
gh-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- uses: stefanzweifel/git-auto-commit-action@v5
|
||||
with:
|
||||
commit_message: Update dependabot.yml
|
||||
+4
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2023 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -18,12 +18,12 @@ package org.springframework.security.config.web.server;
|
||||
|
||||
import java.util.Collections;
|
||||
|
||||
import jakarta.servlet.http.HttpServletResponse;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.core.ResolvableType;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.codec.EncoderHttpMessageWriter;
|
||||
import org.springframework.http.codec.HttpMessageWriter;
|
||||
@@ -48,6 +48,7 @@ import org.springframework.web.server.WebFilterChain;
|
||||
* A filter for the Client-side OIDC Back-Channel Logout endpoint
|
||||
*
|
||||
* @author Josh Cummings
|
||||
* @author Andrey Litvitski
|
||||
* @since 6.2
|
||||
* @see <a target="_blank" href=
|
||||
* "https://openid.net/specs/openid-connect-backchannel-1_0.html">OIDC Back-Channel Logout
|
||||
@@ -107,7 +108,7 @@ class OidcBackChannelLogoutWebFilter implements WebFilter {
|
||||
|
||||
private Mono<Void> handleAuthenticationFailure(ServerWebExchange exchange, Exception ex) {
|
||||
this.logger.debug("Failed to process OIDC Back-Channel Logout", ex);
|
||||
exchange.getResponse().setRawStatusCode(HttpServletResponse.SC_BAD_REQUEST);
|
||||
exchange.getResponse().setRawStatusCode(HttpStatus.BAD_REQUEST.value());
|
||||
return this.errorHttpMessageConverter.write(Mono.just(oauth2Error(ex)), ResolvableType.forClass(Object.class),
|
||||
ResolvableType.forClass(Object.class), MediaType.APPLICATION_JSON, exchange.getRequest(),
|
||||
exchange.getResponse(), Collections.emptyMap());
|
||||
|
||||
+4
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -22,13 +22,13 @@ import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.atomic.AtomicInteger;
|
||||
|
||||
import jakarta.servlet.http.HttpServletResponse;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.core.ResolvableType;
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.http.codec.EncoderHttpMessageWriter;
|
||||
@@ -54,6 +54,7 @@ import org.springframework.web.util.UriComponentsBuilder;
|
||||
* Back-Channel Logout Token and invalidates each one.
|
||||
*
|
||||
* @author Josh Cummings
|
||||
* @author Andrey Litvitski
|
||||
* @since 6.2
|
||||
* @see <a target="_blank" href=
|
||||
* "https://openid.net/specs/openid-connect-backchannel-1_0.html">OIDC Back-Channel Logout
|
||||
@@ -154,7 +155,7 @@ final class OidcBackChannelServerLogoutHandler implements ServerLogoutHandler {
|
||||
}
|
||||
|
||||
private Mono<Void> handleLogoutFailure(ServerWebExchange exchange, OAuth2Error error) {
|
||||
exchange.getResponse().setRawStatusCode(HttpServletResponse.SC_BAD_REQUEST);
|
||||
exchange.getResponse().setRawStatusCode(HttpStatus.BAD_REQUEST.value());
|
||||
return this.errorHttpMessageConverter.write(Mono.just(error), ResolvableType.forClass(Object.class),
|
||||
ResolvableType.forClass(Object.class), MediaType.APPLICATION_JSON, exchange.getRequest(),
|
||||
exchange.getResponse(), Collections.emptyMap());
|
||||
|
||||
+1
-1
@@ -111,7 +111,7 @@ final class Argon2EncodingUtils {
|
||||
case "argon2d" -> new Argon2Parameters.Builder(Argon2Parameters.ARGON2_d);
|
||||
case "argon2i" -> new Argon2Parameters.Builder(Argon2Parameters.ARGON2_i);
|
||||
case "argon2id" -> new Argon2Parameters.Builder(Argon2Parameters.ARGON2_id);
|
||||
default -> throw new IllegalArgumentException("Invalid algorithm type: " + parts[0]);
|
||||
default -> throw new IllegalArgumentException("Invalid algorithm type: " + parts[1]);
|
||||
};
|
||||
if (parts[currentPart].startsWith("v=")) {
|
||||
paramsBuilder.withVersion(Integer.parseInt(parts[currentPart].substring(2)));
|
||||
|
||||
+4
-2
@@ -94,8 +94,10 @@ public class Argon2EncodingUtilsTests {
|
||||
|
||||
@Test
|
||||
public void decodeWhenNonexistingAlgorithmThenThrowException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> Argon2EncodingUtils
|
||||
.decode("$argon2x$v=19$m=1024,t=3,p=2$Y1JkRmJDdzIzZ3oyTWx4aw$cGE5Cbd/cx7micVhXVBdH5qTr66JI1iUyuNNVAnErXs"));
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> Argon2EncodingUtils.decode(
|
||||
"$argon2x$v=19$m=1024,t=3,p=2$Y1JkRmJDdzIzZ3oyTWx4aw$cGE5Cbd/cx7micVhXVBdH5qTr66JI1iUyuNNVAnErXs"))
|
||||
.withMessageContaining("argon2x");
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
@@ -82,6 +82,7 @@
|
||||
**** xref:servlet/saml2/login/authentication.adoc[SAML2 Authentication Responses]
|
||||
*** xref:servlet/saml2/logout.adoc[SAML2 Logout]
|
||||
*** xref:servlet/saml2/metadata.adoc[SAML2 Metadata]
|
||||
*** xref:servlet/saml2/saml-extension-migration.adoc[Migrating from Spring Security SAML Extension]
|
||||
** xref:servlet/exploits/index.adoc[Protection Against Exploits]
|
||||
*** xref:servlet/exploits/csrf.adoc[]
|
||||
*** xref:servlet/exploits/headers.adoc[]
|
||||
|
||||
@@ -29,7 +29,7 @@ spring:
|
||||
security:
|
||||
oauth2:
|
||||
resourceserver:
|
||||
opaque-token:
|
||||
opaquetoken:
|
||||
introspection-uri: https://idp.example.com/introspect
|
||||
client-id: client
|
||||
client-secret: secret
|
||||
@@ -616,7 +616,7 @@ spring:
|
||||
security:
|
||||
oauth2:
|
||||
resourceserver:
|
||||
opaque-token:
|
||||
opaquetoken:
|
||||
introspection-uri: https://idp.example.org/introspection
|
||||
client-id: client
|
||||
client-secret: secret
|
||||
|
||||
@@ -259,7 +259,7 @@ Java::
|
||||
+
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
HeaderWriterLogoutHandler clearSiteData = new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter());
|
||||
HeaderWriterLogoutHandler clearSiteData = new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(Directives.ALL));
|
||||
http
|
||||
.logout((logout) -> logout.addLogoutHandler(clearSiteData))
|
||||
----
|
||||
@@ -268,7 +268,7 @@ Kotlin::
|
||||
+
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
val clearSiteData = HeaderWriterLogoutHandler(ClearSiteDataHeaderWriter())
|
||||
val clearSiteData = HeaderWriterLogoutHandler(ClearSiteDataHeaderWriter(Directives.ALL))
|
||||
http {
|
||||
logout {
|
||||
addLogoutHandler(clearSiteData)
|
||||
@@ -402,7 +402,7 @@ SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler();
|
||||
@PostMapping("/my/logout")
|
||||
public String performLogout(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
|
||||
// .. perform logout
|
||||
this.logoutHandler.doLogout(request, response, authentication);
|
||||
this.logoutHandler.logout(request, response, authentication);
|
||||
return "redirect:/home";
|
||||
}
|
||||
----
|
||||
@@ -416,7 +416,7 @@ val logoutHandler = SecurityContextLogoutHandler()
|
||||
@PostMapping("/my/logout")
|
||||
fun performLogout(val authentication: Authentication, val request: HttpServletRequest, val response: HttpServletResponse): String {
|
||||
// .. perform logout
|
||||
this.logoutHandler.doLogout(request, response, authentication)
|
||||
this.logoutHandler.logout(request, response, authentication)
|
||||
return "redirect:/home"
|
||||
}
|
||||
----
|
||||
|
||||
@@ -534,6 +534,13 @@ public class MaximumSessionsPreventLoginTests {
|
||||
If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly.
|
||||
You can try it using the {gh-samples-url}/servlet/spring-boot/java/session-management/maximum-sessions-prevent-login[Maximum Sessions Prevent Login sample].
|
||||
|
||||
[NOTE]
|
||||
=====
|
||||
If you are using a custom implementation of `UserDetails`, ensure you override the **equals()** and **hashCode()** methods.
|
||||
The default `SessionRegistry` implementation in Spring Security relies on an in-memory Map that uses these methods to correctly identify and manage user sessions.
|
||||
Failing to override them may lead to issues where session tracking and user comparison behave unexpectedly.
|
||||
=====
|
||||
|
||||
== Detecting Timeouts
|
||||
|
||||
Sessions expire on their own, and there is nothing that needs to be done to ensure that a security context gets removed.
|
||||
|
||||
@@ -8,14 +8,12 @@ The browser automatically checks that the certificate presented by a server has
|
||||
You can also use SSL with "`mutual authentication`". The server then requests a valid certificate from the client as part of the SSL handshake.
|
||||
The server authenticates the client by checking that its certificate is signed by an acceptable authority.
|
||||
If a valid certificate has been provided, it can be obtained through the servlet API in an application.
|
||||
The Spring Security X.509 module extracts the certificate by using a filter.
|
||||
It maps the certificate to an application user and loads that user's set of granted authorities for use with the standard Spring Security infrastructure.
|
||||
|
||||
You can also use SSL with "`mutual authentication`". The server then requests a valid certificate from the client as part of the SSL handshake.
|
||||
The server authenticates the client by checking that its certificate is signed by an acceptable authority.
|
||||
For example, if you use Tomcat, you should read the https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html[Tomcat SSL instructions].
|
||||
You should get this working before trying it out with Spring Security.
|
||||
|
||||
The Spring Security X.509 module extracts the certificate by using a filter.
|
||||
It maps the certificate to an application user and loads that user's set of granted authorities for use with the standard Spring Security infrastructure.
|
||||
|
||||
|
||||
== Adding X.509 Authentication to Your Web Application
|
||||
Enabling X.509 client authentication is very straightforward.
|
||||
|
||||
@@ -28,7 +28,7 @@ spring:
|
||||
security:
|
||||
oauth2:
|
||||
resourceserver:
|
||||
opaque-token:
|
||||
opaquetoken:
|
||||
introspection-uri: https://idp.example.com/introspect
|
||||
client-id: client
|
||||
client-secret: secret
|
||||
@@ -782,7 +782,7 @@ spring:
|
||||
security:
|
||||
oauth2:
|
||||
resourceserver:
|
||||
opaque-token:
|
||||
opaquetoken:
|
||||
introspection-uri: https://idp.example.org/introspection
|
||||
client-id: client
|
||||
client-secret: secret
|
||||
|
||||
@@ -66,10 +66,11 @@ spring:
|
||||
security:
|
||||
saml2:
|
||||
relyingparty:
|
||||
okta:
|
||||
identityprovider:
|
||||
entity-id: ...
|
||||
singlesignon.sign-request: false
|
||||
registration:
|
||||
okta:
|
||||
assertingparty:
|
||||
entity-id: ...
|
||||
singlesignon.sign-request: false
|
||||
----
|
||||
|
||||
Java::
|
||||
|
||||
@@ -125,7 +125,7 @@ spring:
|
||||
relyingparty:
|
||||
registration:
|
||||
adfs:
|
||||
identityprovider:
|
||||
assertingparty:
|
||||
entity-id: https://idp.example.com/issuer
|
||||
verification.credentials:
|
||||
- certificate-location: "classpath:idp.crt"
|
||||
@@ -835,16 +835,17 @@ spring:
|
||||
security:
|
||||
saml2:
|
||||
relyingparty:
|
||||
okta:
|
||||
signing.credentials: &relying-party-credentials
|
||||
- private-key-location: classpath:rp.key
|
||||
certificate-location: classpath:rp.crt
|
||||
identityprovider:
|
||||
entity-id: ...
|
||||
azure:
|
||||
signing.credentials: *relying-party-credentials
|
||||
identityprovider:
|
||||
entity-id: ...
|
||||
registration:
|
||||
okta:
|
||||
signing.credentials: &relying-party-credentials
|
||||
- private-key-location: classpath:rp.key
|
||||
certificate-location: classpath:rp.crt
|
||||
assertingparty:
|
||||
entity-id: ...
|
||||
azure:
|
||||
signing.credentials: *relying-party-credentials
|
||||
assertingparty:
|
||||
entity-id: ...
|
||||
----
|
||||
|
||||
Second, in a database, you need not replicate the model of `RelyingPartyRegistration`.
|
||||
|
||||
@@ -0,0 +1,67 @@
|
||||
= SAML 2.0 Extension Migration
|
||||
|
||||
This document contains guidance for moving SAML 2.0 Service Providers from Spring Security SAML Extensions 1.x to Spring Security Since Spring Security doesn’t provide Identity Provider support, migrating a Spring Security SAML Extensions Identity Provider is out of scope for this document.
|
||||
|
||||
Because the two approaches are as different as they are, this document will tend to cover patterns more than precise search-and-replace steps.
|
||||
|
||||
[[saml2-login-logout]]
|
||||
== Login & Logout
|
||||
|
||||
=== Changes In Approach
|
||||
|
||||
https://github.com/spring-projects/spring-security[Spring Security] takes a slightly different approach from https://github.com/spring-projects/spring-security-saml[Spring Security SAML Extensions] in a few notable ways.
|
||||
|
||||
==== Simplified Enablement
|
||||
|
||||
Spring Security SAML Extensions support for Service Providers is provided by a series of filters enabled by adding each filter manually in the correct order to various Spring Security filter chains.
|
||||
|
||||
Spring Security’s SAML 2.0 Service Provider support is enabled via the Spring Security DSL methods:
|
||||
xref:servlet/saml2/login/index.adoc[`saml2Login`],
|
||||
xref:servlet/saml2/logout.adoc[`saml2Logout`], and
|
||||
xref:servlet/saml2/metadata.adoc[`saml2Metadata`]. It selects the correct filters to add and puts them in the appropriate places in the filter chain.
|
||||
|
||||
==== Stronger Encapsulation
|
||||
|
||||
Like Spring Security SAML Extensions, Spring Security bases it’s SAML support on OpenSAML. The Extensions project exposes OpenSAML over public interfaces, blurring the lines between the two projects, effectively requiring OpenSAML, and making upgrades to later versions of OpenSAML more complicated.
|
||||
|
||||
Spring Security provides stronger encapsulation. No public interfaces expose OpenSAML components and any class that exposes OpenSAML in its public API is named with an `OpenSaml` prefix for additional clarity.
|
||||
|
||||
==== Out-of-the-box Multitenancy
|
||||
|
||||
Spring Security SAML Extensions offered some lightweight support for declaring more than one Identity Provider and accessing it at login time using the `idp` request parameter. This was limiting as far as changing things at runtime was concerned and also doesn’t allow for a many-to-many relationship between relying and asserting parties.
|
||||
|
||||
Spring Security builds SAML 2.0 multitenancy into its default URLs and basic components in the form of a `RelyingPartyRegistration`. This component acts as a link between a Relying Party’s metadata and an Asserting Party’s metadata, and all pairs are available for lookup in a `RelyingPartyRegistrationRepository`. Each URL represents a unique registration pair to be retrieved.
|
||||
|
||||
Whether it’s AuthnRequests, Responses, LogoutRequests, LogoutResponses, or EntityDescriptors, each filter is based off of `RelyingPartyRegistrationRepository` and so is fundamentally multi-tenant.
|
||||
|
||||
=== Examples Matrix
|
||||
|
||||
Both Spring Security and Spring Security SAML Extensions have examples for how to configure the Service Provider:
|
||||
|
||||
[options="header"]
|
||||
|===
|
||||
| Use case | Spring Security | Spring Security SAML Extension
|
||||
|
||||
| Login & Logout | https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/saml2/login[Sample] |
|
||||
https://github.com/jzheaux/spring-security-saml-migrate/tree/main/login-logout[Sample]
|
||||
| Login using SAML Extension URLs | https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/saml2/custom-urls[Sample] | -
|
||||
| Metadata support | https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/saml2/refreshable-metadata[Sample] | -
|
||||
|===
|
||||
|
||||
You can also see a showcase example in https://github.com/spring-projects/spring-security-saml/tree/main/sample[Spring Security SAML Extension]'s GitHub project.
|
||||
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
Spring Security does not support HTTP-Redirect binding for SAML 2.0 Responses.
|
||||
According to the SAML specification, the HTTP-Redirect binding is not permitted for SAML Responses due to URL length and signature limitations. Attempting to use this binding may result in unexpected errors.
|
||||
Use HTTP-POST binding instead when configuring your identity provider.
|
||||
====
|
||||
|
||||
[[saml2-unported]]
|
||||
== Unported Features
|
||||
|
||||
There are some features that are not yet ported over and there are as yet no plans to do so:
|
||||
|
||||
* HTTP-Redirect binding for SAML 2.0 Responses
|
||||
* Artifact binding support
|
||||
+1
-1
@@ -1,5 +1,5 @@
|
||||
springBootVersion=3.1.1
|
||||
version=6.3.9-SNAPSHOT
|
||||
version=6.3.10
|
||||
samplesBranch=6.3.x
|
||||
org.gradle.jvmargs=-Xmx3g -XX:+HeapDumpOnOutOfMemoryError
|
||||
org.gradle.parallel=true
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
[versions]
|
||||
com-squareup-okhttp3 = "3.14.9"
|
||||
io-rsocket = "1.1.5"
|
||||
io-spring-javaformat = "0.0.43"
|
||||
io-spring-javaformat = "0.0.46"
|
||||
io-spring-nohttp = "0.0.11"
|
||||
jakarta-websocket = "2.1.1"
|
||||
org-apache-directory-server = "1.5.5"
|
||||
org-apache-maven-resolver = "1.9.22"
|
||||
org-apache-maven-resolver = "1.9.23"
|
||||
org-aspectj = "1.9.24"
|
||||
org-bouncycastle = "1.78.1"
|
||||
org-eclipse-jetty = "11.0.25"
|
||||
@@ -13,7 +13,7 @@ org-jetbrains-kotlin = "1.9.25"
|
||||
org-jetbrains-kotlinx = "1.8.1"
|
||||
org-mockito = "5.11.0"
|
||||
org-opensaml = "4.3.2"
|
||||
org-springframework = "6.1.19"
|
||||
org-springframework = "6.1.20"
|
||||
|
||||
[libraries]
|
||||
ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.18"
|
||||
@@ -28,13 +28,13 @@ com-unboundid-unboundid-ldapsdk = "com.unboundid:unboundid-ldapsdk:6.0.11"
|
||||
commons-collections = "commons-collections:commons-collections:3.2.2"
|
||||
io-micrometer-micrometer-observation = "io.micrometer:micrometer-observation:1.12.13"
|
||||
io-mockk = "io.mockk:mockk:1.13.17"
|
||||
io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2023.0.17"
|
||||
io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2023.0.19"
|
||||
io-rsocket-rsocket-bom = { module = "io.rsocket:rsocket-bom", version.ref = "io-rsocket" }
|
||||
io-spring-javaformat-spring-javaformat-checkstyle = { module = "io.spring.javaformat:spring-javaformat-checkstyle", version.ref = "io-spring-javaformat" }
|
||||
io-spring-javaformat-spring-javaformat-gradle-plugin = { module = "io.spring.javaformat:spring-javaformat-gradle-plugin", version.ref = "io-spring-javaformat" }
|
||||
io-spring-nohttp-nohttp-checkstyle = { module = "io.spring.nohttp:nohttp-checkstyle", version.ref = "io-spring-nohttp" }
|
||||
io-spring-nohttp-nohttp-gradle = { module = "io.spring.nohttp:nohttp-gradle", version.ref = "io-spring-nohttp" }
|
||||
io-spring-security-release-plugin = "io.spring.gradle:spring-security-release-plugin:1.0.4"
|
||||
io-spring-security-release-plugin = "io.spring.gradle:spring-security-release-plugin:1.0.6"
|
||||
jakarta-annotation-jakarta-annotation-api = "jakarta.annotation:jakarta.annotation-api:2.1.1"
|
||||
jakarta-inject-jakarta-inject-api = "jakarta.inject:jakarta.inject-api:2.0.1"
|
||||
jakarta-persistence-jakarta-persistence-api = "jakarta.persistence:jakarta.persistence-api:3.1.0"
|
||||
@@ -53,7 +53,7 @@ org-apache-directory-server-apacheds-protocol-shared = { module = "org.apache.di
|
||||
org-apache-directory-server-apacheds-server-jndi = { module = "org.apache.directory.server:apacheds-server-jndi", version.ref = "org-apache-directory-server" }
|
||||
org-apache-directory-shared-shared-ldap = "org.apache.directory.shared:shared-ldap:0.9.15"
|
||||
org-apache-httpcomponents-httpclient = "org.apache.httpcomponents:httpclient:4.5.14"
|
||||
org-apache-maven-maven-resolver-provider = "org.apache.maven:maven-resolver-provider:3.9.9"
|
||||
org-apache-maven-maven-resolver-provider = "org.apache.maven:maven-resolver-provider:3.9.10"
|
||||
org-apache-maven-resolver-maven-resolver-connector-basic = { module = "org.apache.maven.resolver:maven-resolver-connector-basic", version.ref = "org-apache-maven-resolver" }
|
||||
org-apache-maven-resolver-maven-resolver-impl = { module = "org.apache.maven.resolver:maven-resolver-impl", version.ref = "org-apache-maven-resolver" }
|
||||
org-apache-maven-resolver-maven-resolver-transport-http = { module = "org.apache.maven.resolver:maven-resolver-transport-http", version.ref = "org-apache-maven-resolver" }
|
||||
@@ -84,7 +84,7 @@ org-seleniumhq-selenium-selenium-support = "org.seleniumhq.selenium:selenium-sup
|
||||
org-skyscreamer-jsonassert = "org.skyscreamer:jsonassert:1.5.3"
|
||||
org-slf4j-log4j-over-slf4j = "org.slf4j:log4j-over-slf4j:1.7.36"
|
||||
org-slf4j-slf4j-api = "org.slf4j:slf4j-api:2.0.17"
|
||||
org-springframework-data-spring-data-bom = "org.springframework.data:spring-data-bom:2024.0.10"
|
||||
org-springframework-data-spring-data-bom = "org.springframework.data:spring-data-bom:2024.0.12"
|
||||
org-springframework-ldap-spring-ldap-core = "org.springframework.ldap:spring-ldap-core:3.2.12"
|
||||
org-springframework-spring-framework-bom = { module = "org.springframework:spring-framework-bom", version.ref = "org-springframework" }
|
||||
org-synchronoss-cloud-nio-multipart-parser = "org.synchronoss.cloud:nio-multipart-parser:1.1.0"
|
||||
|
||||
Vendored
BIN
Binary file not shown.
+2
-2
@@ -1,7 +1,7 @@
|
||||
distributionBase=GRADLE_USER_HOME
|
||||
distributionPath=wrapper/dists
|
||||
distributionSha256Sum=20f1b1176237254a6fc204d8434196fa11a4cfb387567519c61556e8710aed78
|
||||
distributionUrl=https\://services.gradle.org/distributions/gradle-8.13-bin.zip
|
||||
distributionSha256Sum=61ad310d3c7d3e5da131b76bbf22b5a4c0786e9d892dae8c1658d4b484de3caa
|
||||
distributionUrl=https\://services.gradle.org/distributions/gradle-8.14-bin.zip
|
||||
networkTimeout=10000
|
||||
validateDistributionUrl=true
|
||||
zipStoreBase=GRADLE_USER_HOME
|
||||
|
||||
@@ -114,7 +114,7 @@ case "$( uname )" in #(
|
||||
NONSTOP* ) nonstop=true ;;
|
||||
esac
|
||||
|
||||
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
|
||||
CLASSPATH="\\\"\\\""
|
||||
|
||||
|
||||
# Determine the Java command to use to start the JVM.
|
||||
@@ -213,7 +213,7 @@ DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
|
||||
set -- \
|
||||
"-Dorg.gradle.appname=$APP_BASE_NAME" \
|
||||
-classpath "$CLASSPATH" \
|
||||
org.gradle.wrapper.GradleWrapperMain \
|
||||
-jar "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" \
|
||||
"$@"
|
||||
|
||||
# Stop when "xargs" is not available.
|
||||
|
||||
Vendored
+2
-2
@@ -70,11 +70,11 @@ goto fail
|
||||
:execute
|
||||
@rem Setup the command line
|
||||
|
||||
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
|
||||
set CLASSPATH=
|
||||
|
||||
|
||||
@rem Execute Gradle
|
||||
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
|
||||
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" -jar "%APP_HOME%\gradle\wrapper\gradle-wrapper.jar" %*
|
||||
|
||||
:end
|
||||
@rem End local scope for the variables with windows NT shell
|
||||
|
||||
+8
-1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -17,6 +17,7 @@
|
||||
package org.springframework.security.oauth2.client.registration;
|
||||
|
||||
import java.net.URI;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.LinkedHashMap;
|
||||
import java.util.List;
|
||||
@@ -49,6 +50,7 @@ import org.springframework.web.util.UriComponentsBuilder;
|
||||
* @author Rob Winch
|
||||
* @author Josh Cummings
|
||||
* @author Rafiullah Hamedy
|
||||
* @author Evgeniy Cheban
|
||||
* @since 5.1
|
||||
*/
|
||||
public final class ClientRegistrations {
|
||||
@@ -211,6 +213,7 @@ public final class ClientRegistrations {
|
||||
private static ClientRegistration.Builder getBuilder(String issuer,
|
||||
Supplier<ClientRegistration.Builder>... suppliers) {
|
||||
String errorMessage = "Unable to resolve Configuration with the provided Issuer of \"" + issuer + "\"";
|
||||
List<String> errors = new ArrayList<>();
|
||||
for (Supplier<ClientRegistration.Builder> supplier : suppliers) {
|
||||
try {
|
||||
return supplier.get();
|
||||
@@ -219,6 +222,7 @@ public final class ClientRegistrations {
|
||||
if (!ex.getStatusCode().is4xxClientError()) {
|
||||
throw ex;
|
||||
}
|
||||
errors.add(ex.getMessage());
|
||||
// else try another endpoint
|
||||
}
|
||||
catch (IllegalArgumentException | IllegalStateException ex) {
|
||||
@@ -228,6 +232,9 @@ public final class ClientRegistrations {
|
||||
throw new IllegalArgumentException(errorMessage, ex);
|
||||
}
|
||||
}
|
||||
if (!errors.isEmpty()) {
|
||||
throw new IllegalArgumentException(errorMessage + ", errors: " + errors);
|
||||
}
|
||||
throw new IllegalArgumentException(errorMessage);
|
||||
}
|
||||
|
||||
|
||||
+24
-1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -36,12 +36,14 @@ import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
* @author Rafiullah Hamedy
|
||||
* @author Evgeniy Cheban
|
||||
* @since 5.1
|
||||
*/
|
||||
public class ClientRegistrationsTests {
|
||||
@@ -455,6 +457,27 @@ public class ClientRegistrationsTests {
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void issuerWhenAllEndpointsFailedThenExceptionIncludesFailureInformation() {
|
||||
this.issuer = createIssuerFromServer("issuer1");
|
||||
this.server.setDispatcher(new Dispatcher() {
|
||||
@Override
|
||||
public MockResponse dispatch(RecordedRequest request) {
|
||||
int responseCode = switch (request.getPath()) {
|
||||
case "/issuer1/.well-known/openid-configuration" -> 405;
|
||||
case "/.well-known/openid-configuration/issuer1" -> 400;
|
||||
default -> 404;
|
||||
};
|
||||
return new MockResponse().setResponseCode(responseCode);
|
||||
}
|
||||
});
|
||||
assertThatExceptionOfType(IllegalArgumentException.class)
|
||||
.isThrownBy(() -> ClientRegistrations.fromIssuerLocation(this.issuer).build())
|
||||
.withMessageContaining("405")
|
||||
.withMessageContaining("400")
|
||||
.withMessageContaining("404");
|
||||
}
|
||||
|
||||
private ClientRegistration.Builder registration(String path) throws Exception {
|
||||
this.issuer = createIssuerFromServer(path);
|
||||
this.response.put("issuer", this.issuer);
|
||||
|
||||
+10
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -391,7 +391,7 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
|
||||
String inResponseTo = response.getInResponseTo();
|
||||
result = result.concat(validateInResponseTo(token.getAuthenticationRequest(), inResponseTo));
|
||||
|
||||
String issuer = response.getIssuer().getValue();
|
||||
String issuer = issuer(response);
|
||||
String destination = response.getDestination();
|
||||
String location = token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
|
||||
if (StringUtils.hasText(destination) && !destination.equals(location)) {
|
||||
@@ -414,6 +414,13 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
|
||||
};
|
||||
}
|
||||
|
||||
private static String issuer(Response response) {
|
||||
if (response.getIssuer() == null) {
|
||||
return null;
|
||||
}
|
||||
return response.getIssuer().getValue();
|
||||
}
|
||||
|
||||
private static List<String> getStatusCodes(Response response) {
|
||||
if (response.getStatus() == null) {
|
||||
return List.of(StatusCode.SUCCESS);
|
||||
@@ -576,7 +583,7 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
|
||||
}
|
||||
|
||||
private void process(Saml2AuthenticationToken token, Response response) {
|
||||
String issuer = response.getIssuer().getValue();
|
||||
String issuer = issuer(response);
|
||||
this.logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
|
||||
boolean responseSigned = response.isSigned();
|
||||
|
||||
|
||||
+10
-1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -861,6 +861,15 @@ public class OpenSaml4AuthenticationProviderTests {
|
||||
provider.authenticate(token);
|
||||
}
|
||||
|
||||
// gh-16989
|
||||
@Test
|
||||
public void authenticateWhenNullIssuerThenNoNullPointer() {
|
||||
OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
|
||||
Response response = TestOpenSamlObjects.signedResponseWithOneAssertion((r) -> r.setIssuer(null));
|
||||
Saml2AuthenticationToken token = token(response, verifying(registration()));
|
||||
assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> provider.authenticate(token));
|
||||
}
|
||||
|
||||
private <T extends XMLObject> T build(QName qName) {
|
||||
return (T) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName);
|
||||
}
|
||||
|
||||
+11
-1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -64,6 +64,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
|
||||
* </ul>
|
||||
*
|
||||
* @author Sergey Bespalov
|
||||
* @author Andrey Litvitski
|
||||
* @since 5.2.0
|
||||
*/
|
||||
public class AuthenticationFilter extends OncePerRequestFilter {
|
||||
@@ -193,6 +194,15 @@ public class AuthenticationFilter extends OncePerRequestFilter {
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String getAlreadyFilteredAttributeName() {
|
||||
String name = getFilterName();
|
||||
if (name == null) {
|
||||
name = getClass().getName().concat("-" + System.identityHashCode(this));
|
||||
}
|
||||
return name + ALREADY_FILTERED_SUFFIX;
|
||||
}
|
||||
|
||||
private void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
|
||||
AuthenticationException failed) throws IOException, ServletException {
|
||||
this.securityContextHolderStrategy.clearContext();
|
||||
|
||||
+7
-3
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -79,6 +79,10 @@ import org.springframework.web.filter.GenericFilterBean;
|
||||
* raised by the <tt>AuthenticationManager</tt> will the be re-thrown. Note that this will
|
||||
* not affect cases where the principal returned by {@link #getPreAuthenticatedPrincipal}
|
||||
* is null, when the chain will still proceed as normal.
|
||||
* <p>
|
||||
* The filter saves the {@link SecurityContext} using the configured
|
||||
* {@link SecurityContextRepository}, which can be set via
|
||||
* {@link #setSecurityContextRepository}.
|
||||
*
|
||||
* @author Luke Taylor
|
||||
* @author Ruud Senden
|
||||
@@ -253,8 +257,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
|
||||
|
||||
/**
|
||||
* Sets the {@link SecurityContextRepository} to save the {@link SecurityContext} on
|
||||
* authentication success. The default action is not to save the
|
||||
* {@link SecurityContext}.
|
||||
* authentication success. The default action is to save the {@link SecurityContext}
|
||||
* in {@link HttpSession} using {@link HttpSessionSecurityContextRepository}.
|
||||
* @param securityContextRepository the {@link SecurityContextRepository} to use.
|
||||
* Cannot be null.
|
||||
*/
|
||||
|
||||
+2
-1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -75,6 +75,7 @@ public final class ClearSiteDataHeaderWriter implements HeaderWriter {
|
||||
if (!response.containsHeader(CLEAR_SITE_DATA_HEADER)) {
|
||||
response.setHeader(CLEAR_SITE_DATA_HEADER, this.headerValue);
|
||||
}
|
||||
return;
|
||||
}
|
||||
this.logger.debug(
|
||||
LogMessage.format("Not injecting Clear-Site-Data header since it did not match the requestMatcher %s",
|
||||
|
||||
+9
-9
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -802,42 +802,42 @@ public class StrictServerWebExchangeFirewall implements ServerWebExchangeFirewal
|
||||
|
||||
@Override
|
||||
public Builder method(HttpMethod httpMethod) {
|
||||
return this.delegate.method(httpMethod);
|
||||
return new StrictFirewallBuilder(this.delegate.method(httpMethod));
|
||||
}
|
||||
|
||||
@Override
|
||||
public Builder uri(URI uri) {
|
||||
return this.delegate.uri(uri);
|
||||
return new StrictFirewallBuilder(this.delegate.uri(uri));
|
||||
}
|
||||
|
||||
@Override
|
||||
public Builder path(String path) {
|
||||
return this.delegate.path(path);
|
||||
return new StrictFirewallBuilder(this.delegate.path(path));
|
||||
}
|
||||
|
||||
@Override
|
||||
public Builder contextPath(String contextPath) {
|
||||
return this.delegate.contextPath(contextPath);
|
||||
return new StrictFirewallBuilder(this.delegate.contextPath(contextPath));
|
||||
}
|
||||
|
||||
@Override
|
||||
public Builder header(String headerName, String... headerValues) {
|
||||
return this.delegate.header(headerName, headerValues);
|
||||
return new StrictFirewallBuilder(this.delegate.header(headerName, headerValues));
|
||||
}
|
||||
|
||||
@Override
|
||||
public Builder headers(Consumer<HttpHeaders> headersConsumer) {
|
||||
return this.delegate.headers(headersConsumer);
|
||||
return new StrictFirewallBuilder(this.delegate.headers(headersConsumer));
|
||||
}
|
||||
|
||||
@Override
|
||||
public Builder sslInfo(SslInfo sslInfo) {
|
||||
return this.delegate.sslInfo(sslInfo);
|
||||
return new StrictFirewallBuilder(this.delegate.sslInfo(sslInfo));
|
||||
}
|
||||
|
||||
@Override
|
||||
public Builder remoteAddress(InetSocketAddress remoteAddress) {
|
||||
return this.delegate.remoteAddress(remoteAddress);
|
||||
return new StrictFirewallBuilder(this.delegate.remoteAddress(remoteAddress));
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
+17
-1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -17,6 +17,7 @@
|
||||
package org.springframework.security.web.authentication;
|
||||
|
||||
import jakarta.servlet.FilterChain;
|
||||
import jakarta.servlet.Servlet;
|
||||
import jakarta.servlet.ServletException;
|
||||
import jakarta.servlet.ServletRequest;
|
||||
import jakarta.servlet.ServletResponse;
|
||||
@@ -57,6 +58,7 @@ import static org.mockito.Mockito.verifyNoMoreInteractions;
|
||||
|
||||
/**
|
||||
* @author Sergey Bespalov
|
||||
* @author Andrey Litvitski
|
||||
* @since 5.2.0
|
||||
*/
|
||||
@ExtendWith(MockitoExtension.class)
|
||||
@@ -318,4 +320,18 @@ public class AuthenticationFilterTests {
|
||||
assertThat(securityContextArg.getValue().getAuthentication()).isEqualTo(authentication);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void filterWhenMultipleInChainThenAllFiltered() throws Exception {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
AuthenticationFilter filter1 = new AuthenticationFilter(this.authenticationManager,
|
||||
this.authenticationConverter);
|
||||
AuthenticationConverter converter2 = mock(AuthenticationConverter.class);
|
||||
AuthenticationFilter filter2 = new AuthenticationFilter(this.authenticationManager, converter2);
|
||||
FilterChain chain = new MockFilterChain(mock(Servlet.class), filter1, filter2);
|
||||
chain.doFilter(request, response);
|
||||
verify(this.authenticationConverter).convert(any());
|
||||
verify(converter2).convert(any());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
+14
-1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -534,4 +534,17 @@ class StrictServerWebExchangeFirewallTests {
|
||||
.isThrownBy(() -> headers.get(invalidHeaderName));
|
||||
}
|
||||
|
||||
// gh-16978
|
||||
@Test
|
||||
void getMutatedFirewalledExchangeHeadersGetHeaderWhenNotAllowedHeaderNameThenException() {
|
||||
String invalidHeaderName = "bad name";
|
||||
this.firewall.setAllowedHeaderNames((name) -> !name.equals(invalidHeaderName));
|
||||
ServerWebExchange exchange = getFirewalledExchange();
|
||||
var mutatedRequest = exchange.getRequest().mutate().method(HttpMethod.POST).build();
|
||||
var mutatedExchange = exchange.mutate().request(mutatedRequest).build();
|
||||
HttpHeaders headers = mutatedExchange.getRequest().getHeaders();
|
||||
assertThatExceptionOfType(ServerExchangeRejectedException.class)
|
||||
.isThrownBy(() -> headers.get(invalidHeaderName));
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user