root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Polish "Configure SAML 2.0 Service Provider via Metadata" 

See gh-23045
This commit is contained in:
Stephane Nicoll 2020-09-02 10:31:50 +02:00
parent 5187c01e39
commit 681abcc185
5 changed files with 27 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java
View File

@ -141,7 +141,7 @@ public class Saml2RelyingPartyProperties {
private String entityId;
/**
* Endpoint for discovery-based configuration.
* URI to the metadata endpoint for discovery-based configuration.
*/
private String metadataUri;

37
spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java
View File

@ -22,6 +22,7 @@ import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@ -37,6 +38,8 @@ import org.springframework.security.converter.RsaKeyConverters;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
@ -67,26 +70,13 @@ class Saml2RelyingPartyRegistrationConfiguration {
}
private RelyingPartyRegistration asRegistration(String id, Registration properties) {
RelyingPartyRegistration.Builder builder;
boolean usingMetadata = StringUtils.hasText(properties.getIdentityprovider().getMetadataUri());
if (usingMetadata) {
builder = RelyingPartyRegistrations.fromMetadataLocation(properties.getIdentityprovider().getMetadataUri())
.registrationId(id);
}
else {
builder = RelyingPartyRegistration.withRegistrationId(id);
}
Builder builder = (usingMetadata) ? RelyingPartyRegistrations
.fromMetadataLocation(properties.getIdentityprovider().getMetadataUri()).registrationId(id)
: RelyingPartyRegistration.withRegistrationId(id);
builder.assertionConsumerServiceLocation(
"{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI);
Saml2RelyingPartyProperties.Identityprovider identityprovider = properties.getIdentityprovider();
PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
builder.assertingPartyDetails((details) -> {
map.from(identityprovider::getEntityId).to(details::entityId);
map.from(identityprovider.getSinglesignon()::getBinding).to(details::singleSignOnServiceBinding);
map.from(identityprovider.getSinglesignon()::getUrl).to(details::singleSignOnServiceLocation);
map.from(identityprovider.getSinglesignon()::isSignRequest).when((signRequest) -> !usingMetadata)
.to(details::wantAuthnRequestsSigned);
});
builder.assertingPartyDetails(mapIdentityProvider(properties, usingMetadata));
builder.signingX509Credentials((credentials) -> properties.getSigning().getCredentials().stream()
.map(this::asSigningCredential).forEach(credentials::add));
builder.assertingPartyDetails((details) -> details
@ -99,6 +89,19 @@ class Saml2RelyingPartyRegistrationConfiguration {
return registration;
}
private Consumer<AssertingPartyDetails.Builder> mapIdentityProvider(Registration properties,
boolean usingMetadata) {
PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
Saml2RelyingPartyProperties.Identityprovider identityprovider = properties.getIdentityprovider();
return (details) -> {
map.from(identityprovider::getEntityId).to(details::entityId);
map.from(identityprovider.getSinglesignon()::getBinding).to(details::singleSignOnServiceBinding);
map.from(identityprovider.getSinglesignon()::getUrl).to(details::singleSignOnServiceLocation);
map.from(identityprovider.getSinglesignon()::isSignRequest).when((signRequest) -> !usingMetadata)
.to(details::wantAuthnRequestsSigned);
};
}
private void validateSigningCredentials(Registration properties, boolean signRequest) {
if (signRequest) {
Assert.state(!properties.getSigning().getCredentials().isEmpty(),

7
spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java
View File

@ -35,6 +35,7 @@ import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.Resource;
import org.springframework.security.config.BeanIds;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@ -122,7 +123,7 @@ class Saml2RelyingPartyAutoConfigurationTests {
try (MockWebServer server = new MockWebServer()) {
server.start();
String metadataUrl = server.url("").toString();
setupMockResponse(server);
setupMockResponse(server, new ClassPathResource("saml/idp-metadata"));
this.contextRunner.withPropertyValues(PREFIX + ".foo.identityprovider.metadata-uri=" + metadataUrl)
.run((context) -> {
assertThat(context).hasSingleBean(RelyingPartyRegistrationRepository.class);
@ -195,8 +196,8 @@ class Saml2RelyingPartyAutoConfigurationTests {
return filters.stream().anyMatch(filter::isInstance);
}
private void setupMockResponse(MockWebServer server) throws Exception {
try (InputStream metadataSource = new ClassPathResource("saml/idp-metadata").getInputStream()) {
private void setupMockResponse(MockWebServer server, Resource resourceBody) throws Exception {
try (InputStream metadataSource = resourceBody.getInputStream()) {
Buffer metadataBuffer = new Buffer().readFrom(metadataSource);
MockResponse metadataResponse = new MockResponse().setBody(metadataBuffer);
server.enqueue(metadataResponse);

2
spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyPropertiesTests.java
View File

@ -103,7 +103,7 @@ class Saml2RelyingPartyPropertiesTests {
}
@Test
void customizeIdentityProviderMetadataUrl() {
void customizeIdentityProviderMetadataUri() {
bind("spring.security.saml2.relyingparty.registration.simplesamlphp.identityprovider.metadata-uri",
"https://idp.example.org/metadata");
assertThat(this.properties.getRegistration().get("simplesamlphp").getIdentityprovider().getMetadataUri())

2
spring-boot-project/spring-boot-autoconfigure/src/test/resources/saml/idp-metadata
View File

@ -39,4 +39,4 @@
<md:ContactPerson contactType="technical">
<md:EmailAddress>mailto:technical.contact@example.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
</md:EntityDescriptor>