Use OpenSAML API for web

Issue gh-11658

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -39,7 +39,7 @@
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
 import org.springframework.security.saml2.provider.service.web.HttpSessionSaml2AuthenticationRequestRepository;
-import org.springframework.security.saml2.provider.service.web.OpenSamlAuthenticationTokenConverter;
+import org.springframework.security.saml2.provider.service.web.OpenSaml4AuthenticationTokenConverter;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
 import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
@@ -379,10 +379,10 @@ private AuthenticationConverter getAuthenticationConverter(B http) {
 		AuthenticationConverter authenticationConverterBean = getBeanOrNull(http,
 				Saml2AuthenticationTokenConverter.class);
 		if (authenticationConverterBean == null) {
-			authenticationConverterBean = getBeanOrNull(http, OpenSamlAuthenticationTokenConverter.class);
+			authenticationConverterBean = getBeanOrNull(http, OpenSaml4AuthenticationTokenConverter.class);
 		}
 		if (authenticationConverterBean == null) {
-			OpenSamlAuthenticationTokenConverter converter = new OpenSamlAuthenticationTokenConverter(
+			OpenSaml4AuthenticationTokenConverter converter = new OpenSaml4AuthenticationTokenConverter(
 					this.relyingPartyRegistrationRepository);
 			converter.setAuthenticationRequestRepository(getAuthenticationRequestRepository(http));
 			converter.setRequestMatcher(this.loginProcessingUrl);

config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java

@@ -308,7 +308,7 @@ public void authenticateWithInvalidDeflatedSAMLResponseThenFailureHandlerUses()
 		Saml2AuthenticationException exception = captor.getValue();
 		assertThat(exception.getSaml2Error().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_RESPONSE);
 		assertThat(exception.getSaml2Error().getDescription()).isEqualTo("Unable to inflate string");
-		assertThat(exception.getCause()).isInstanceOf(IOException.class);
+		assertThat(exception).hasRootCauseInstanceOf(IOException.class);
 	}
 
 	@Test

saml2/saml2-service-provider/spring-security-saml2-service-provider.gradle

@@ -38,6 +38,11 @@ sourceSets.configureEach { set ->
 		with from
 	}
 
+	copy {
+		into "$projectDir/src/$set.name/java/org/springframework/security/saml2/provider/service/web"
+		filter { line -> line.replaceAll(".saml2.internal", ".saml2.provider.service.web") }
+		with from
+	}
 }
 
 dependencies {

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/BaseOpenSamlAuthenticationTokenConverter.java

@@ -0,0 +1,190 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.web;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.opensaml.saml.saml2.core.Response;
+
+import org.springframework.http.HttpMethod;
+import org.springframework.security.saml2.core.OpenSamlInitializationService;
+import org.springframework.security.saml2.core.Saml2Error;
+import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
+import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
+import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
+import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers.UriResolver;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.Assert;
+
+final class BaseOpenSamlAuthenticationTokenConverter implements AuthenticationConverter {
+
+	static {
+		OpenSamlInitializationService.initialize();
+	}
+
+	private final OpenSamlOperations saml;
+
+	private final RelyingPartyRegistrationRepository registrations;
+
+	private RequestMatcher requestMatcher = new OrRequestMatcher(
+			new AntPathRequestMatcher("/login/saml2/sso/{registrationId}"),
+			new AntPathRequestMatcher("/login/saml2/sso"));
+
+	private Saml2AuthenticationRequestRepository<?> authenticationRequests = new HttpSessionSaml2AuthenticationRequestRepository();
+
+	/**
+	 * Constructs a {@link BaseOpenSamlAuthenticationTokenConverter} given a repository
+	 * for {@link RelyingPartyRegistration}s
+	 * @param registrations the repository for {@link RelyingPartyRegistration}s
+	 * {@link RelyingPartyRegistration}s
+	 */
+	BaseOpenSamlAuthenticationTokenConverter(RelyingPartyRegistrationRepository registrations,
+			OpenSamlOperations saml) {
+		Assert.notNull(registrations, "relyingPartyRegistrationRepository cannot be null");
+		this.registrations = registrations;
+		this.saml = saml;
+	}
+
+	/**
+	 * Resolve an authentication request from the given {@link HttpServletRequest}.
+	 *
+	 * <p>
+	 * First uses the configured {@link RequestMatcher} to deduce whether an
+	 * authentication request is being made and optionally for which
+	 * {@code registrationId}.
+	 *
+	 * <p>
+	 * If there is an associated {@code <saml2:AuthnRequest>}, then the
+	 * {@code registrationId} is looked up and used.
+	 *
+	 * <p>
+	 * If a {@code registrationId} is found in the request, then it is looked up and used.
+	 * In that case, if none is found a {@link Saml2AuthenticationException} is thrown.
+	 *
+	 * <p>
+	 * Finally, if no {@code registrationId} is found in the request, then the code
+	 * attempts to resolve the {@link RelyingPartyRegistration} from the SAML Response's
+	 * Issuer.
+	 * @param request the HTTP request
+	 * @return the {@link Saml2AuthenticationToken} authentication request
+	 * @throws Saml2AuthenticationException if the {@link RequestMatcher} specifies a
+	 * non-existent {@code registrationId}
+	 */
+	@Override
+	public Saml2AuthenticationToken convert(HttpServletRequest request) {
+		String serialized = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
+		if (serialized == null) {
+			return null;
+		}
+		RequestMatcher.MatchResult result = this.requestMatcher.matcher(request);
+		if (!result.isMatch()) {
+			return null;
+		}
+		Saml2AuthenticationToken token = tokenByAuthenticationRequest(request);
+		if (token == null) {
+			token = tokenByRegistrationId(request, result);
+		}
+		if (token == null) {
+			token = tokenByEntityId(request);
+		}
+		return token;
+	}
+
+	private Saml2AuthenticationToken tokenByAuthenticationRequest(HttpServletRequest request) {
+		AbstractSaml2AuthenticationRequest authenticationRequest = this.authenticationRequests
+			.loadAuthenticationRequest(request);
+		if (authenticationRequest == null) {
+			return null;
+		}
+		String registrationId = authenticationRequest.getRelyingPartyRegistrationId();
+		RelyingPartyRegistration registration = this.registrations.findByRegistrationId(registrationId);
+		return tokenByRegistration(request, registration, authenticationRequest);
+	}
+
+	private Saml2AuthenticationToken tokenByRegistrationId(HttpServletRequest request,
+			RequestMatcher.MatchResult result) {
+		String registrationId = result.getVariables().get("registrationId");
+		if (registrationId == null) {
+			return null;
+		}
+		RelyingPartyRegistration registration = this.registrations.findByRegistrationId(registrationId);
+		return tokenByRegistration(request, registration, null);
+	}
+
+	private Saml2AuthenticationToken tokenByEntityId(HttpServletRequest request) {
+		Response response = this.saml.deserialize(decode(request));
+		String issuer = response.getIssuer().getValue();
+		RelyingPartyRegistration registration = this.registrations.findUniqueByAssertingPartyEntityId(issuer);
+		return tokenByRegistration(request, registration, null);
+	}
+
+	private Saml2AuthenticationToken tokenByRegistration(HttpServletRequest request,
+			RelyingPartyRegistration registration, AbstractSaml2AuthenticationRequest authenticationRequest) {
+		if (registration == null) {
+			return null;
+		}
+		String decoded = decode(request);
+		UriResolver resolver = RelyingPartyRegistrationPlaceholderResolvers.uriResolver(request, registration);
+		registration = registration.mutate()
+			.entityId(resolver.resolve(registration.getEntityId()))
+			.assertionConsumerServiceLocation(resolver.resolve(registration.getAssertionConsumerServiceLocation()))
+			.build();
+		return new Saml2AuthenticationToken(registration, decoded, authenticationRequest);
+	}
+
+	/**
+	 * Use the given {@link Saml2AuthenticationRequestRepository} to load authentication
+	 * request.
+	 * @param authenticationRequestRepository the
+	 * {@link Saml2AuthenticationRequestRepository} to use
+	 */
+	void setAuthenticationRequestRepository(
+			Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> authenticationRequestRepository) {
+		Assert.notNull(authenticationRequestRepository, "authenticationRequestRepository cannot be null");
+		this.authenticationRequests = authenticationRequestRepository;
+	}
+
+	/**
+	 * Use the given {@link RequestMatcher} to match the request.
+	 * @param requestMatcher the {@link RequestMatcher} to use
+	 */
+	void setRequestMatcher(RequestMatcher requestMatcher) {
+		Assert.notNull(requestMatcher, "requestMatcher cannot be null");
+		this.requestMatcher = requestMatcher;
+	}
+
+	private String decode(HttpServletRequest request) {
+		String encoded = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
+		try {
+			return Saml2Utils.withEncoded(encoded)
+				.requireBase64(true)
+				.inflate(HttpMethod.GET.matches(request.getMethod()))
+				.decode();
+		}
+		catch (Exception ex) {
+			throw new Saml2AuthenticationException(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE, ex.getMessage()),
+					ex);
+		}
+	}
+
+}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/OpenSaml4AuthenticationTokenConverter.java

@@ -0,0 +1,104 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.web;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
+import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
+import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.Assert;
+
+/**
+ * An {@link AuthenticationConverter} that generates a {@link Saml2AuthenticationToken}
+ * appropriate for authenticated a SAML 2.0 Assertion against an
+ * {@link org.springframework.security.authentication.AuthenticationManager}.
+ *
+ * @author Josh Cummings
+ * @since 6.1
+ */
+public final class OpenSaml4AuthenticationTokenConverter implements AuthenticationConverter {
+
+	private final BaseOpenSamlAuthenticationTokenConverter delegate;
+
+	/**
+	 * Constructs a {@link OpenSaml4AuthenticationTokenConverter} given a repository for
+	 * {@link RelyingPartyRegistration}s
+	 * @param registrations the repository for {@link RelyingPartyRegistration}s
+	 * {@link RelyingPartyRegistration}s
+	 */
+	public OpenSaml4AuthenticationTokenConverter(RelyingPartyRegistrationRepository registrations) {
+		Assert.notNull(registrations, "relyingPartyRegistrationRepository cannot be null");
+		this.delegate = new BaseOpenSamlAuthenticationTokenConverter(registrations, new OpenSaml4Template());
+	}
+
+	/**
+	 * Resolve an authentication request from the given {@link HttpServletRequest}.
+	 *
+	 * <p>
+	 * First uses the configured {@link RequestMatcher} to deduce whether an
+	 * authentication request is being made and optionally for which
+	 * {@code registrationId}.
+	 *
+	 * <p>
+	 * If there is an associated {@code <saml2:AuthnRequest>}, then the
+	 * {@code registrationId} is looked up and used.
+	 *
+	 * <p>
+	 * If a {@code registrationId} is found in the request, then it is looked up and used.
+	 * In that case, if none is found a {@link Saml2AuthenticationException} is thrown.
+	 *
+	 * <p>
+	 * Finally, if no {@code registrationId} is found in the request, then the code
+	 * attempts to resolve the {@link RelyingPartyRegistration} from the SAML Response's
+	 * Issuer.
+	 * @param request the HTTP request
+	 * @return the {@link Saml2AuthenticationToken} authentication request
+	 * @throws Saml2AuthenticationException if the {@link RequestMatcher} specifies a
+	 * non-existent {@code registrationId}
+	 */
+	@Override
+	public Saml2AuthenticationToken convert(HttpServletRequest request) {
+		return this.delegate.convert(request);
+	}
+
+	/**
+	 * Use the given {@link Saml2AuthenticationRequestRepository} to load authentication
+	 * request.
+	 * @param authenticationRequestRepository the
+	 * {@link Saml2AuthenticationRequestRepository} to use
+	 */
+	public void setAuthenticationRequestRepository(
+			Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> authenticationRequestRepository) {
+		Assert.notNull(authenticationRequestRepository, "authenticationRequestRepository cannot be null");
+		this.delegate.setAuthenticationRequestRepository(authenticationRequestRepository);
+	}
+
+	/**
+	 * Use the given {@link RequestMatcher} to match the request.
+	 * @param requestMatcher the {@link RequestMatcher} to use
+	 */
+	public void setRequestMatcher(RequestMatcher requestMatcher) {
+		Assert.notNull(requestMatcher, "requestMatcher cannot be null");
+		this.delegate.setRequestMatcher(requestMatcher);
+	}
+
+}