3 månader sedan · 5354e4d2c5
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
@@ -1,5 +1,5 @@
 
				 /*
			
 
				- * Copyright 2002-2024 the original author or authors.
			
 
				+ * Copyright 2002-2025 the original author or authors.
			
 
				  *
			
 
				  * Licensed under the Apache License, Version 2.0 (the "License");
			
 
				  * you may not use this file except in compliance with the License.
			
@@ -391,7 +391,7 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
 
				 			String inResponseTo = response.getInResponseTo();
			
 
				 			result = result.concat(validateInResponseTo(token.getAuthenticationRequest(), inResponseTo));
			
 
				 
			
 
				-			String issuer = response.getIssuer().getValue();
			
 
				+			String issuer = issuer(response);
			
 
				 			String destination = response.getDestination();
			
 
				 			String location = token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
			
 
				 			if (StringUtils.hasText(destination) && !destination.equals(location)) {
			
@@ -414,6 +414,13 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
 
				 		};
			
 
				 	}
			
 
				 
			
 
				+	private static String issuer(Response response) {
			
 
				+		if (response.getIssuer() == null) {
			
 
				+			return null;
			
 
				+		}
			
 
				+		return response.getIssuer().getValue();
			
 
				+	}
			
 
				+
			
 
				 	private static List<String> getStatusCodes(Response response) {
			
 
				 		if (response.getStatus() == null) {
			
 
				 			return List.of(StatusCode.SUCCESS);
			
@@ -576,7 +583,7 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
 
				 	}
			
 
				 
			
 
				 	private void process(Saml2AuthenticationToken token, Response response) {
			
 
				-		String issuer = response.getIssuer().getValue();
			
 
				+		String issuer = issuer(response);
			
 
				 		this.logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
			
 
				 		boolean responseSigned = response.isSigned();
			
 
				 
			
--- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java
+++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java
@@ -1,5 +1,5 @@
 
				 /*
			
 
				- * Copyright 2002-2024 the original author or authors.
			
 
				+ * Copyright 2002-2025 the original author or authors.
			
 
				  *
			
 
				  * Licensed under the Apache License, Version 2.0 (the "License");
			
 
				  * you may not use this file except in compliance with the License.
			
@@ -861,6 +861,15 @@ public class OpenSaml4AuthenticationProviderTests {
 
				 		provider.authenticate(token);
			
 
				 	}
			
 
				 
			
 
				+	// gh-16989
			
 
				+	@Test
			
 
				+	public void authenticateWhenNullIssuerThenNoNullPointer() {
			
 
				+		OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
			
 
				+		Response response = TestOpenSamlObjects.signedResponseWithOneAssertion((r) -> r.setIssuer(null));
			
 
				+		Saml2AuthenticationToken token = token(response, verifying(registration()));
			
 
				+		assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> provider.authenticate(token));
			
 
				+	}
			
 
				+
			
 
				 	private <T extends XMLObject> T build(QName qName) {
			
 
				 		return (T) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName);
			
 
				 	}