root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 5 Packages Projects Releases Wiki Activity

Saml2WebSsoAuthenticationFilter adds authentication details 

Closes gh-7722
This commit is contained in:
Daniel Garnier-Moiroux 2021-09-21 14:57:20 +02:00 committed by Marcus Hert Da Coregio
parent 84d173c310
commit 2fb8e66bc8
4 changed files with 64 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilter.java
View File

@ -19,6 +19,7 @@ package org.springframework.security.saml2.provider.service.servlet.filter;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml2.core.Saml2Error; import org.springframework.security.saml2.core.Saml2Error;
@ -109,6 +110,7 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce
"No relying party registration found"); "No relying party registration found");
throw new Saml2AuthenticationException(saml2Error); throw new Saml2AuthenticationException(saml2Error);
} }
setDetails(request, authentication);
this.authenticationRequestRepository.removeAuthenticationRequest(request, response); this.authenticationRequestRepository.removeAuthenticationRequest(request, response);
return getAuthenticationManager().authenticate(authentication); return getAuthenticationManager().authenticate(authentication);
} }
@ -138,4 +140,11 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce
} }
} }
private void setDetails(HttpServletRequest request, Authentication authentication) {
if (AbstractAuthenticationToken.class.isAssignableFrom(authentication.getClass())) {
Object details = this.authenticationDetailsSource.buildDetails(request);
((AbstractAuthenticationToken) authentication).setDetails(details);
}
}
} }

7
saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
View File

@ -446,7 +446,12 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
String serializedResponse = token.getSaml2Response(); String serializedResponse = token.getSaml2Response();
Response response = parse(serializedResponse); Response response = parse(serializedResponse);
process(token, response); process(token, response);
return this.responseAuthenticationConverter.convert(new ResponseToken(response, token)); AbstractAuthenticationToken authenticationResponse = this.responseAuthenticationConverter
.convert(new ResponseToken(response, token));
if (authenticationResponse != null) {
authenticationResponse.setDetails(authentication.getDetails());
}
return authenticationResponse;
} }
catch (Saml2AuthenticationException ex) { catch (Saml2AuthenticationException ex) {
throw ex; throw ex;

15
saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java
View File

@ -352,6 +352,21 @@ public class OpenSaml4AuthenticationProviderTests {
.satisfies(errorOf(Saml2ErrorCodes.DECRYPTION_ERROR, "Failed to decrypt EncryptedData")); .satisfies(errorOf(Saml2ErrorCodes.DECRYPTION_ERROR, "Failed to decrypt EncryptedData"));
} }
@Test
public void authenticateWhenAuthenticationHasDetailsThenSucceeds() {
Response response = response();
Assertion assertion = assertion();
assertion.getSubject().getSubjectConfirmations()
.forEach((sc) -> sc.getSubjectConfirmationData().setAddress("10.10.10.10"));
TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(),
RELYING_PARTY_ENTITY_ID);
response.getAssertions().add(assertion);
Saml2AuthenticationToken token = token(response, verifying(registration()));
token.setDetails("some-details");
Authentication authentication = this.provider.authenticate(token);
assertThat(authentication.getDetails()).isEqualTo("some-details");
}
@Test @Test
public void writeObjectWhenTypeIsSaml2AuthenticationThenNoException() throws IOException { public void writeObjectWhenTypeIsSaml2AuthenticationThenNoException() throws IOException {
Response response = response(); Response response = response();

34
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilterTests.java
View File

@ -25,12 +25,14 @@ import org.junit.jupiter.api.Test;
import org.springframework.mock.web.MockFilterChain; import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.saml2.core.Saml2ParameterNames; import org.springframework.security.saml2.core.Saml2ParameterNames;
import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest; import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException; import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
import org.springframework.security.saml2.provider.service.authentication.TestSaml2AuthenticationTokens; import org.springframework.security.saml2.provider.service.authentication.TestSaml2AuthenticationTokens;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
@ -40,11 +42,13 @@ import org.springframework.security.saml2.provider.service.web.DefaultRelyingPar
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver; import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter; import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.authentication.WebAuthenticationDetails;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.assertj.core.api.Assertions.assertThatNoException;
import static org.mockito.BDDMockito.given; import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
@ -119,6 +123,36 @@ public class Saml2WebSsoAuthenticationFilterTests {
verify(authenticationRequestRepository).removeAuthenticationRequest(this.request, this.response); verify(authenticationRequestRepository).removeAuthenticationRequest(this.request, this.response);
} }
@Test
public void attemptAuthenticationAddsDetails() {
AuthenticationConverter authenticationConverter = mock(AuthenticationConverter.class);
final Saml2AuthenticationToken token = TestSaml2AuthenticationTokens.token();
given(authenticationConverter.convert(this.request)).willReturn(token);
final AuthenticationDetailsSource authenticationDetailsSource = mock(AuthenticationDetailsSource.class);
final WebAuthenticationDetails details = mock(WebAuthenticationDetails.class);
given(authenticationDetailsSource.buildDetails(this.request)).willReturn(details);
this.filter = new Saml2WebSsoAuthenticationFilter(authenticationConverter, "/some/other/path/{registrationId}");
this.filter.setAuthenticationManager((authentication) -> null);
this.filter.setAuthenticationDetailsSource(authenticationDetailsSource);
this.request.setPathInfo("/some/other/path/idp-registration-id");
this.filter.attemptAuthentication(this.request, this.response);
Assertions.assertEquals(details, token.getDetails());
}
@Test
public void attemptAuthenticationWhenAuthenticationNotAbstractAuthenticationTokenDoesNotAddDetails() {
AuthenticationConverter authenticationConverter = mock(AuthenticationConverter.class);
final Authentication authenticationWithoutDetails = mock(Authentication.class);
given(authenticationConverter.convert(this.request)).willReturn(authenticationWithoutDetails);
final AuthenticationDetailsSource authenticationDetailsSource = mock(AuthenticationDetailsSource.class);
this.filter = new Saml2WebSsoAuthenticationFilter(authenticationConverter, "/some/other/path/{registrationId}");
this.filter.setAuthenticationManager((authentication) -> null);
this.filter.setAuthenticationDetailsSource(authenticationDetailsSource);
this.request.setPathInfo("/some/other/path/idp-registration-id");
assertThatNoException().isThrownBy(() -> this.filter.attemptAuthentication(this.request, this.response));
verifyNoInteractions(authenticationDetailsSource);
}
@Test @Test
public void setAuthenticationRequestRepositoryWhenNullThenThrowsIllegalArgument() { public void setAuthenticationRequestRepositoryWhenNullThenThrowsIllegalArgument() {
assertThatIllegalArgumentException().isThrownBy(() -> this.filter.setAuthenticationRequestRepository(null)) assertThatIllegalArgumentException().isThrownBy(() -> this.filter.setAuthenticationRequestRepository(null))