root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch '6.3.x' into 6.4.x 

Closes gh-17008
This commit is contained in:
Josh Cummings 2025-04-28 11:18:46 -06:00
parent e6957bb854 5354e4d2c5
commit ce000ed190
No known key found for this signature in database
GPG Key ID: 869B37A20E876129
2 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/BaseOpenSamlAuthenticationProvider.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2024 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -160,7 +160,7 @@ class BaseOpenSamlAuthenticationProvider implements AuthenticationProvider {
String inResponseTo = response.getInResponseTo(); String inResponseTo = response.getInResponseTo();
result = result.concat(validateInResponseTo(token.getAuthenticationRequest(), inResponseTo)); result = result.concat(validateInResponseTo(token.getAuthenticationRequest(), inResponseTo));
String issuer = response.getIssuer().getValue(); String issuer = issuer(response);
String destination = response.getDestination(); String destination = response.getDestination();
String location = token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation(); String location = token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
if (StringUtils.hasText(destination) && !destination.equals(location)) { if (StringUtils.hasText(destination) && !destination.equals(location)) {
@ -183,6 +183,13 @@ class BaseOpenSamlAuthenticationProvider implements AuthenticationProvider {
}; };
} }
private static String issuer(Response response) {
if (response.getIssuer() == null) {
return null;
}
return response.getIssuer().getValue();
}
private static List<String> getStatusCodes(Response response) { private static List<String> getStatusCodes(Response response) {
if (response.getStatus() == null) { if (response.getStatus() == null) {
return List.of(StatusCode.SUCCESS); return List.of(StatusCode.SUCCESS);
@ -308,7 +315,7 @@ class BaseOpenSamlAuthenticationProvider implements AuthenticationProvider {
} }
private void process(Saml2AuthenticationToken token, Response response) { private void process(Saml2AuthenticationToken token, Response response) {
String issuer = response.getIssuer().getValue(); String issuer = issuer(response);
this.logger.debug(LogMessage.format("Processing SAML response from %s", issuer)); this.logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
boolean responseSigned = response.isSigned(); boolean responseSigned = response.isSigned();

9
saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java
View File

@ -889,6 +889,15 @@ public class OpenSaml4AuthenticationProviderTests {
provider.authenticate(token); provider.authenticate(token);
} }
// gh-16989
@Test
public void authenticateWhenNullIssuerThenNoNullPointer() {
OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
Response response = TestOpenSamlObjects.signedResponseWithOneAssertion((r) -> r.setIssuer(null));
Saml2AuthenticationToken token = token(response, verifying(registration()));
assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> provider.authenticate(token));
}
private <T extends XMLObject> T build(QName qName) { private <T extends XMLObject> T build(QName qName) {
return (T) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName); return (T) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName);
} }