Use OpenSAML API for web.authentication

Issue gh-11658

Author: jzheaux

saml2/saml2-service-provider/spring-security-saml2-service-provider.gradle

@@ -31,6 +31,13 @@ sourceSets.configureEach { set ->
 		filter { line -> line.replaceAll(".saml2.internal", ".saml2.provider.service.web.authentication.logout") }
 		with from
 	}
+
+	copy {
+		into "$projectDir/src/$set.name/java/org/springframework/security/saml2/provider/service/web/authentication"
+		filter { line -> line.replaceAll(".saml2.internal", ".saml2.provider.service.web.authentication") }
+		with from
+	}
+
 }
 
 dependencies {

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java renamed to saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/BaseOpenSamlAuthenticationRequestResolver.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,19 +16,19 @@
 
 package org.springframework.security.saml2.provider.service.web.authentication;
 
-import java.nio.charset.StandardCharsets;
+import java.time.Clock;
+import java.time.Instant;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
-import java.util.function.BiConsumer;
+import java.util.function.Consumer;
 
 import jakarta.servlet.http.HttpServletRequest;
-import net.shibboleth.utilities.java.support.xml.SerializeSupport;
 import org.opensaml.core.config.ConfigurationService;
 import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
 import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
-import org.opensaml.core.xml.io.MarshallingException;
 import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.opensaml.saml.saml2.core.Issuer;
 import org.opensaml.saml.saml2.core.NameID;
@@ -38,10 +38,8 @@
 import org.opensaml.saml.saml2.core.impl.IssuerBuilder;
 import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
 import org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder;
-import org.w3c.dom.Element;
 
 import org.springframework.core.convert.converter.Converter;
-import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.core.OpenSamlInitializationService;
 import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
@@ -63,11 +61,14 @@
  * For internal use only. Intended for consolidating common behavior related to minting a
  * SAML 2.0 Authn Request.
  */
-class OpenSamlAuthenticationRequestResolver {
+class BaseOpenSamlAuthenticationRequestResolver implements Saml2AuthenticationRequestResolver {
 
 	static {
 		OpenSamlInitializationService.initialize();
 	}
+
+	private final OpenSamlOperations saml;
+
 	private final RelyingPartyRegistrationResolver relyingPartyRegistrationResolver;
 
 	private final AuthnRequestBuilder authnRequestBuilder;
@@ -84,15 +85,22 @@ class OpenSamlAuthenticationRequestResolver {
 			new AntPathRequestMatcher(Saml2AuthenticationRequestResolver.DEFAULT_AUTHENTICATION_REQUEST_URI),
 			new AntPathQueryRequestMatcher("/saml2/authenticate", "registrationId={registrationId}"));
 
+	private Clock clock = Clock.systemUTC();
+
 	private Converter<HttpServletRequest, String> relayStateResolver = (request) -> UUID.randomUUID().toString();
 
+	private Consumer<AuthnRequestParameters> parametersConsumer = (parameters) -> {
+	};
+
 	/**
-	 * Construct a {@link OpenSamlAuthenticationRequestResolver} using the provided
+	 * Construct a {@link BaseOpenSamlAuthenticationRequestResolver} using the provided
 	 * parameters
 	 * @param relyingPartyRegistrationResolver a strategy for resolving the
 	 * {@link RelyingPartyRegistration} from the {@link HttpServletRequest}
 	 */
-	OpenSamlAuthenticationRequestResolver(RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
+	BaseOpenSamlAuthenticationRequestResolver(RelyingPartyRegistrationResolver relyingPartyRegistrationResolver,
+			OpenSamlOperations saml) {
+		this.saml = saml;
 		Assert.notNull(relyingPartyRegistrationResolver, "relyingPartyRegistrationResolver cannot be null");
 		this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
 		XMLObjectProviderRegistry registry = ConfigurationService.get(XMLObjectProviderRegistry.class);
@@ -111,6 +119,10 @@ class OpenSamlAuthenticationRequestResolver {
 		Assert.notNull(this.nameIdPolicyBuilder, "nameIdPolicyBuilder must be configured in OpenSAML");
 	}
 
+	void setClock(Clock clock) {
+		this.clock = clock;
+	}
+
 	void setRelayStateResolver(Converter<HttpServletRequest, String> relayStateResolver) {
 		this.relayStateResolver = relayStateResolver;
 	}
@@ -119,13 +131,12 @@ void setRequestMatcher(RequestMatcher requestMatcher) {
 		this.requestMatcher = requestMatcher;
 	}
 
-	<T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletRequest request) {
-		return resolve(request, (registration, logoutRequest) -> {
-		});
+	void setParametersConsumer(Consumer<AuthnRequestParameters> parametersConsumer) {
+		this.parametersConsumer = parametersConsumer;
 	}
 
-	<T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletRequest request,
-			BiConsumer<RelyingPartyRegistration, AuthnRequest> authnRequestConsumer) {
+	@Override
+	public <T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletRequest request) {
 		RequestMatcher.MatchResult result = this.requestMatcher.matcher(request);
 		if (!result.isMatch()) {
 			return null;
@@ -153,7 +164,8 @@ <T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletRequest requ
 			nameIdPolicy.setFormat(registration.getNameIdFormat());
 			authnRequest.setNameIDPolicy(nameIdPolicy);
 		}
-		authnRequestConsumer.accept(registration, authnRequest);
+		authnRequest.setIssueInstant(Instant.now(this.clock));
+		this.parametersConsumer.accept(new AuthnRequestParameters(request, registration, authnRequest));
 		if (authnRequest.getID() == null) {
 			authnRequest.setID("ARQ" + UUID.randomUUID().toString().substring(1));
 		}
@@ -162,10 +174,12 @@ <T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletRequest requ
 		if (binding == Saml2MessageBinding.POST) {
 			if (registration.getAssertingPartyMetadata().getWantAuthnRequestsSigned()
 					|| registration.isAuthnRequestsSigned()) {
-				OpenSamlSigningUtils.sign(authnRequest, registration);
+				this.saml.withSigningKeys(registration.getSigningX509Credentials())
+					.algorithms(registration.getAssertingPartyMetadata().getSigningAlgorithms())
+					.sign(authnRequest);
 			}
 			String xml = serialize(authnRequest);
-			String encoded = Saml2Utils.samlEncode(xml.getBytes(StandardCharsets.UTF_8));
+			String encoded = Saml2Utils.withDecoded(xml).encode();
 			return (T) Saml2PostAuthenticationRequest.withRelyingPartyRegistration(registration)
 				.samlRequest(encoded)
 				.relayState(relayState)
@@ -174,35 +188,31 @@ <T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletRequest requ
 		}
 		else {
 			String xml = serialize(authnRequest);
-			String deflatedAndEncoded = Saml2Utils.samlEncode(Saml2Utils.samlDeflate(xml));
+			String deflatedAndEncoded = Saml2Utils.withDecoded(xml).deflate(true).encode();
 			Saml2RedirectAuthenticationRequest.Builder builder = Saml2RedirectAuthenticationRequest
 				.withRelyingPartyRegistration(registration)
 				.samlRequest(deflatedAndEncoded)
 				.relayState(relayState)
 				.id(authnRequest.getID());
 			if (registration.getAssertingPartyMetadata().getWantAuthnRequestsSigned()
 					|| registration.isAuthnRequestsSigned()) {
-				OpenSamlSigningUtils.QueryParametersPartial parametersPartial = OpenSamlSigningUtils.sign(registration)
-					.param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded);
+				Map<String, String> signingParameters = new HashMap<>();
+				signingParameters.put(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded);
 				if (relayState != null) {
-					parametersPartial = parametersPartial.param(Saml2ParameterNames.RELAY_STATE, relayState);
+					signingParameters.put(Saml2ParameterNames.RELAY_STATE, relayState);
 				}
-				Map<String, String> parameters = parametersPartial.parameters();
-				builder.sigAlg(parameters.get(Saml2ParameterNames.SIG_ALG))
-					.signature(parameters.get(Saml2ParameterNames.SIGNATURE));
+				Map<String, String> query = this.saml.withSigningKeys(registration.getSigningX509Credentials())
+					.algorithms(registration.getAssertingPartyMetadata().getSigningAlgorithms())
+					.sign(signingParameters);
+				builder.sigAlg(query.get(Saml2ParameterNames.SIG_ALG))
+					.signature(query.get(Saml2ParameterNames.SIGNATURE));
 			}
 			return (T) builder.build();
 		}
 	}
 
 	private String serialize(AuthnRequest authnRequest) {
-		try {
-			Element element = this.marshaller.marshall(authnRequest);
-			return SerializeSupport.nodeToString(element);
-		}
-		catch (MarshallingException ex) {
-			throw new Saml2Exception(ex);
-		}
+		return this.saml.serialize(authnRequest).serialize();
 	}
 
 	private static final class AntPathQueryRequestMatcher implements RequestMatcher {
@@ -236,4 +246,33 @@ public MatchResult matcher(HttpServletRequest request) {
 
 	}
 
+	static final class AuthnRequestParameters {
+
+		private final HttpServletRequest request;
+
+		private final RelyingPartyRegistration registration;
+
+		private final AuthnRequest authnRequest;
+
+		AuthnRequestParameters(HttpServletRequest request, RelyingPartyRegistration registration,
+				AuthnRequest authnRequest) {
+			this.request = request;
+			this.registration = registration;
+			this.authnRequest = authnRequest;
+		}
+
+		HttpServletRequest getRequest() {
+			return this.request;
+		}
+
+		RelyingPartyRegistration getRelyingPartyRegistration() {
+			return this.registration;
+		}
+
+		AuthnRequest getAuthnRequest() {
+			return this.authnRequest;
+		}
+
+	}
+
 }

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolver.java

@@ -40,7 +40,7 @@
  */
 public final class OpenSaml4AuthenticationRequestResolver implements Saml2AuthenticationRequestResolver {
 
-	private final OpenSamlAuthenticationRequestResolver authnRequestResolver;
+	private final BaseOpenSamlAuthenticationRequestResolver delegate;
 
 	private Consumer<AuthnRequestContext> contextConsumer = (parameters) -> {
 	};
@@ -53,27 +53,25 @@ public final class OpenSaml4AuthenticationRequestResolver implements Saml2Authen
 	 * @since 6.1
 	 */
 	public OpenSaml4AuthenticationRequestResolver(RelyingPartyRegistrationRepository registrations) {
-		this.authnRequestResolver = new OpenSamlAuthenticationRequestResolver((request, id) -> {
+		this.delegate = new BaseOpenSamlAuthenticationRequestResolver((request, id) -> {
 			if (id == null) {
 				return null;
 			}
 			return registrations.findByRegistrationId(id);
-		});
+		}, new OpenSaml4Template());
 	}
 
 	/**
 	 * Construct a {@link OpenSaml4AuthenticationRequestResolver}
 	 */
 	public OpenSaml4AuthenticationRequestResolver(RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
-		this.authnRequestResolver = new OpenSamlAuthenticationRequestResolver(relyingPartyRegistrationResolver);
+		this.delegate = new BaseOpenSamlAuthenticationRequestResolver(relyingPartyRegistrationResolver,
+				new OpenSaml4Template());
 	}
 
 	@Override
 	public <T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletRequest request) {
-		return this.authnRequestResolver.resolve(request, (registration, authnRequest) -> {
-			authnRequest.setIssueInstant(Instant.now(this.clock));
-			this.contextConsumer.accept(new AuthnRequestContext(request, registration, authnRequest));
-		});
+		return this.delegate.resolve(request);
 	}
 
 	/**
@@ -82,20 +80,22 @@ public <T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletReque
 	 */
 	public void setAuthnRequestCustomizer(Consumer<AuthnRequestContext> contextConsumer) {
 		Assert.notNull(contextConsumer, "contextConsumer cannot be null");
-		this.contextConsumer = contextConsumer;
+		this.delegate.setParametersConsumer(
+				(parameters) -> contextConsumer.accept(new AuthnRequestContext(parameters.getRequest(),
+						parameters.getRelyingPartyRegistration(), parameters.getAuthnRequest())));
 	}
 
 	/**
 	 * Set the {@link RequestMatcher} to use for setting the
-	 * {@link OpenSamlAuthenticationRequestResolver#setRequestMatcher(RequestMatcher)}
+	 * {@link BaseOpenSamlAuthenticationRequestResolver#setRequestMatcher(RequestMatcher)}
 	 * (RequestMatcher)}
 	 * @param requestMatcher the {@link RequestMatcher} to identify authentication
 	 * requests.
 	 * @since 5.8
 	 */
 	public void setRequestMatcher(RequestMatcher requestMatcher) {
 		Assert.notNull(requestMatcher, "requestMatcher cannot be null");
-		this.authnRequestResolver.setRequestMatcher(requestMatcher);
+		this.delegate.setRequestMatcher(requestMatcher);
 	}
 
 	/**
@@ -114,7 +114,7 @@ public void setClock(Clock clock) {
 	 */
 	public void setRelayStateResolver(Converter<HttpServletRequest, String> relayStateResolver) {
 		Assert.notNull(relayStateResolver, "relayStateResolver cannot be null");
-		this.authnRequestResolver.setRelayStateResolver(relayStateResolver);
+		this.delegate.setRelayStateResolver(relayStateResolver);
 	}
 
 	public static final class AuthnRequestContext {