3 سال پیش · 6c16ac101a
--- a/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
@@ -262,7 +262,7 @@ final class AuthenticationConfigBuilder {
 
				 		createX509Filter(authenticationManager);
			
 
				 		createJeeFilter(authenticationManager);
			
 
				 		createLogoutFilter(authenticationFilterSecurityContextHolderStrategyRef);
			
 
				-		createSaml2LogoutFilter();
			
 
				+		createSaml2LogoutFilter(authenticationFilterSecurityContextHolderStrategyRef);
			
 
				 		createLoginPageFilterIfNeeded();
			
 
				 		createUserDetailsServiceFactory();
			
 
				 		createExceptionTranslationFilter(authenticationFilterSecurityContextHolderStrategyRef);
			
@@ -763,13 +763,13 @@ final class AuthenticationConfigBuilder {
 
				 		}
			
 
				 	}
			
 
				 
			
 
				-	private void createSaml2LogoutFilter() {
			
 
				+	private void createSaml2LogoutFilter(BeanMetadataElement authenticationFilterSecurityContextHolderStrategyRef) {
			
 
				 		Element saml2LogoutElt = DomUtils.getChildElementByTagName(this.httpElt, Elements.SAML2_LOGOUT);
			
 
				 		if (saml2LogoutElt == null) {
			
 
				 			return;
			
 
				 		}
			
 
				 		Saml2LogoutBeanDefinitionParser parser = new Saml2LogoutBeanDefinitionParser(this.logoutHandlers,
			
 
				-				this.logoutSuccessHandler);
			
 
				+				this.logoutSuccessHandler, authenticationFilterSecurityContextHolderStrategyRef);
			
 
				 		parser.parse(saml2LogoutElt, this.pc);
			
 
				 		BeanDefinition saml2LogoutFilter = parser.getLogoutFilter();
			
 
				 		BeanDefinition saml2LogoutRequestFilter = parser.getLogoutRequestFilter();
			
--- a/config/src/main/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParser.java
@@ -78,10 +78,14 @@ final class Saml2LogoutBeanDefinitionParser implements BeanDefinitionParser {
 
				 
			
 
				 	private BeanDefinition logoutFilter;
			
 
				 
			
 
				+	private BeanMetadataElement authenticationFilterSecurityContextHolderStrategy;
			
 
				+
			
 
				 	Saml2LogoutBeanDefinitionParser(ManagedList<BeanMetadataElement> logoutHandlers,
			
 
				-			BeanMetadataElement logoutSuccessHandler) {
			
 
				+			BeanMetadataElement logoutSuccessHandler,
			
 
				+			BeanMetadataElement authenticationFilterSecurityContextHolderStrategy) {
			
 
				 		this.logoutHandlers = logoutHandlers;
			
 
				 		this.logoutSuccessHandler = logoutSuccessHandler;
			
 
				+		this.authenticationFilterSecurityContextHolderStrategy = authenticationFilterSecurityContextHolderStrategy;
			
 
				 	}
			
 
				 
			
 
				 	@Override
			
@@ -120,7 +124,10 @@ final class Saml2LogoutBeanDefinitionParser implements BeanDefinitionParser {
 
				 		this.logoutRequestFilter = BeanDefinitionBuilder.rootBeanDefinition(Saml2LogoutRequestFilter.class)
			
 
				 				.addConstructorArgValue(registrations).addConstructorArgValue(logoutRequestValidator)
			
 
				 				.addConstructorArgValue(logoutResponseResolver).addConstructorArgValue(this.logoutHandlers)
			
 
				-				.addPropertyValue("logoutRequestMatcher", logoutRequestMatcher).getBeanDefinition();
			
 
				+				.addPropertyValue("logoutRequestMatcher", logoutRequestMatcher)
			
 
				+				.addPropertyValue("securityContextHolderStrategy",
			
 
				+						this.authenticationFilterSecurityContextHolderStrategy)
			
 
				+				.getBeanDefinition();
			
 
				 		BeanMetadataElement logoutResponseValidator = Saml2LogoutBeanDefinitionParserUtils
			
 
				 				.getLogoutResponseValidator(element);
			
 
				 		BeanMetadataElement logoutRequestRepository = Saml2LogoutBeanDefinitionParserUtils
			
--- a/config/src/test/java/org/springframework/security/config/http/Saml2LoginBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/Saml2LoginBeanDefinitionParserTests.java
@@ -33,6 +33,7 @@ import org.springframework.security.config.test.SpringTestContext;
 
				 import org.springframework.security.config.test.SpringTestContextExtension;
			
 
				 import org.springframework.security.core.Authentication;
			
 
				 import org.springframework.security.core.AuthenticationException;
			
 
				+import org.springframework.security.core.context.SecurityContextHolderStrategy;
			
 
				 import org.springframework.security.saml2.core.Saml2ParameterNames;
			
 
				 import org.springframework.security.saml2.core.Saml2Utils;
			
 
				 import org.springframework.security.saml2.core.TestSaml2X509Credentials;
			
@@ -63,6 +64,7 @@ import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 
				 import static org.mockito.ArgumentMatchers.any;
			
 
				 import static org.mockito.ArgumentMatchers.anyString;
			
 
				 import static org.mockito.BDDMockito.given;
			
 
				+import static org.mockito.Mockito.atLeastOnce;
			
 
				 import static org.mockito.Mockito.mock;
			
 
				 import static org.mockito.Mockito.verify;
			
 
				 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
			
@@ -180,6 +182,23 @@ public class Saml2LoginBeanDefinitionParserTests {
 
				 		assertThat(authentication.getPrincipal()).isInstanceOf(Saml2AuthenticatedPrincipal.class);
			
 
				 	}
			
 
				 
			
 
				+	@Test
			
 
				+	public void authenticateWhenCustomSecurityContextHolderStrategyThenUses() throws Exception {
			
 
				+		this.spring.configLocations(this.xml("WithCustomSecurityContextHolderStrategy")).autowire();
			
 
				+		RelyingPartyRegistration relyingPartyRegistration = relyingPartyRegistrationWithVerifyingCredential();
			
 
				+		// @formatter:off
			
 
				+		this.mvc.perform(post("/login/saml2/sso/" + relyingPartyRegistration.getRegistrationId()).param(Saml2ParameterNames.SAML_RESPONSE, SIGNED_RESPONSE))
			
 
				+				.andDo(MockMvcResultHandlers.print())
			
 
				+				.andExpect(status().is2xxSuccessful());
			
 
				+		// @formatter:on
			
 
				+		ArgumentCaptor<Authentication> authenticationCaptor = ArgumentCaptor.forClass(Authentication.class);
			
 
				+		verify(this.authenticationSuccessHandler).onAuthenticationSuccess(any(), any(), authenticationCaptor.capture());
			
 
				+		Authentication authentication = authenticationCaptor.getValue();
			
 
				+		assertThat(authentication.getPrincipal()).isInstanceOf(Saml2AuthenticatedPrincipal.class);
			
 
				+		SecurityContextHolderStrategy strategy = this.spring.getContext().getBean(SecurityContextHolderStrategy.class);
			
 
				+		verify(strategy, atLeastOnce()).getContext();
			
 
				+	}
			
 
				+
			
 
				 	@Test
			
 
				 	public void authenticateWhenAuthenticationResponseValidThenAuthenticationSuccessEventPublished() throws Exception {
			
 
				 		this.spring.configLocations(this.xml("WithCustomRelyingPartyRepository")).autowire();
			
--- a/config/src/test/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParserTests.java
@@ -35,6 +35,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
 
				 import org.springframework.security.config.test.SpringTestContext;
			
 
				 import org.springframework.security.config.test.SpringTestContextExtension;
			
 
				 import org.springframework.security.core.authority.AuthorityUtils;
			
 
				+import org.springframework.security.core.context.SecurityContextHolderStrategy;
			
 
				 import org.springframework.security.saml2.core.Saml2Utils;
			
 
				 import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
			
 
				 import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
			
@@ -63,6 +64,7 @@ import static org.assertj.core.api.Assertions.assertThat;
 
				 import static org.hamcrest.Matchers.containsString;
			
 
				 import static org.mockito.ArgumentMatchers.any;
			
 
				 import static org.mockito.BDDMockito.given;
			
 
				+import static org.mockito.Mockito.atLeastOnce;
			
 
				 import static org.mockito.Mockito.verify;
			
 
				 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
			
 
				 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
			
@@ -233,6 +235,23 @@ public class Saml2LogoutBeanDefinitionParserTests {
 
				 		assertThat(location).startsWith("https://ap.example.org/logout/saml2/response");
			
 
				 	}
			
 
				 
			
 
				+	@Test
			
 
				+	public void saml2LogoutRequestWhenCustomSecurityContextHolderStrategyThenUses() throws Exception {
			
 
				+		this.spring.configLocations(this.xml("WithSecurityContextHolderStrategy")).autowire();
			
 
				+		DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal("user",
			
 
				+				Collections.emptyMap());
			
 
				+		principal.setRelyingPartyRegistrationId("get");
			
 
				+		Saml2Authentication user = new Saml2Authentication(principal, "response",
			
 
				+				AuthorityUtils.createAuthorityList("ROLE_USER"));
			
 
				+		MvcResult result = this.mvc.perform(get("/logout/saml2/slo").param("SAMLRequest", this.apLogoutRequest)
			
 
				+				.param("RelayState", this.apLogoutRequestRelayState).param("SigAlg", this.apLogoutRequestSigAlg)
			
 
				+				.param("Signature", this.apLogoutRequestSignature).with(samlQueryString()).with(authentication(user)))
			
 
				+				.andExpect(status().isFound()).andReturn();
			
 
				+		String location = result.getResponse().getHeader("Location");
			
 
				+		assertThat(location).startsWith("https://ap.example.org/logout/saml2/response");
			
 
				+		verify(getBean(SecurityContextHolderStrategy.class), atLeastOnce()).getContext();
			
 
				+	}
			
 
				+
			
 
				 	@Test
			
 
				 	public void saml2LogoutRequestWhenNoRegistrationThen400() throws Exception {
			
 
				 		this.spring.configLocations(this.xml("Default")).autowire();
			
--- a/config/src/test/resources/org/springframework/security/config/http/Saml2LoginBeanDefinitionParserTests-WithCustomSecurityContextHolderStrategy.xml
+++ b/config/src/test/resources/org/springframework/security/config/http/Saml2LoginBeanDefinitionParserTests-WithCustomSecurityContextHolderStrategy.xml
@@ -0,0 +1,49 @@
 
				+<?xml version="1.0" encoding="UTF-8"?>
			
 
				+<!--
			
 
				+  ~ Copyright 2002-2021 the original author or authors.
			
 
				+  ~
			
 
				+  ~ Licensed under the Apache License, Version 2.0 (the "License");
			
 
				+  ~ you may not use this file except in compliance with the License.
			
 
				+  ~ You may obtain a copy of the License at
			
 
				+  ~
			
 
				+  ~       https://www.apache.org/licenses/LICENSE-2.0
			
 
				+  ~
			
 
				+  ~ Unless required by applicable law or agreed to in writing, software
			
 
				+  ~ distributed under the License is distributed on an "AS IS" BASIS,
			
 
				+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			
 
				+  ~ See the License for the specific language governing permissions and
			
 
				+  ~ limitations under the License.
			
 
				+  -->
			
 
				+
			
 
				+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
			
 
				+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
			
 
				+		 xmlns="http://www.springframework.org/schema/security"
			
 
				+		 xsi:schemaLocation="
			
 
				+			http://www.springframework.org/schema/security
			
 
				+			https://www.springframework.org/schema/security/spring-security.xsd
			
 
				+			http://www.springframework.org/schema/beans
			
 
				+			https://www.springframework.org/schema/beans/spring-beans.xsd">
			
 
				+
			
 
				+	<http auto-config="true" security-context-holder-strategy-ref="ref">
			
 
				+		<intercept-url pattern="/**" access="authenticated"/>
			
 
				+		<saml2-login authentication-success-handler-ref="authenticationSuccessHandler" relying-party-registration-repository-ref="relyingPartyRegistrationRepository"/>
			
 
				+	</http>
			
 
				+
			
 
				+	<b:bean id="ref" class="org.mockito.Mockito" factory-method="spy">
			
 
				+		<b:constructor-arg>
			
 
				+			<b:bean class="org.springframework.security.config.MockSecurityContextHolderStrategy"/>
			
 
				+		</b:constructor-arg>
			
 
				+	</b:bean>
			
 
				+
			
 
				+	<b:bean id="authenticationSuccessListener" class="org.mockito.Mockito" factory-method="mock">
			
 
				+		<b:constructor-arg value="org.springframework.context.ApplicationListener"/>
			
 
				+	</b:bean>
			
 
				+	<b:bean id="authenticationSuccessHandler" class="org.mockito.Mockito" factory-method="mock">
			
 
				+		<b:constructor-arg value="org.springframework.security.web.authentication.AuthenticationSuccessHandler"/>
			
 
				+	</b:bean>
			
 
				+	<b:bean id="relyingPartyRegistrationRepository" class="org.mockito.Mockito" factory-method="mock">
			
 
				+		<b:constructor-arg value="org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository"/>
			
 
				+	</b:bean>
			
 
				+
			
 
				+	<b:import resource="userservice.xml"/>
			
 
				+</b:beans>
			
--- a/config/src/test/resources/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParserTests-WithSecurityContextHolderStrategy.xml
+++ b/config/src/test/resources/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParserTests-WithSecurityContextHolderStrategy.xml
@@ -0,0 +1,41 @@
 
				+<?xml version="1.0" encoding="UTF-8"?>
			
 
				+<!--
			
 
				+  ~ Copyright 2002-2022 the original author or authors.
			
 
				+  ~
			
 
				+  ~ Licensed under the Apache License, Version 2.0 (the "License");
			
 
				+  ~ you may not use this file except in compliance with the License.
			
 
				+  ~ You may obtain a copy of the License at
			
 
				+  ~
			
 
				+  ~       https://www.apache.org/licenses/LICENSE-2.0
			
 
				+  ~
			
 
				+  ~ Unless required by applicable law or agreed to in writing, software
			
 
				+  ~ distributed under the License is distributed on an "AS IS" BASIS,
			
 
				+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			
 
				+  ~ See the License for the specific language governing permissions and
			
 
				+  ~ limitations under the License.
			
 
				+  -->
			
 
				+
			
 
				+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
			
 
				+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
			
 
				+		xmlns="http://www.springframework.org/schema/security"
			
 
				+		xsi:schemaLocation="
			
 
				+			http://www.springframework.org/schema/security
			
 
				+			https://www.springframework.org/schema/security/spring-security.xsd
			
 
				+			http://www.springframework.org/schema/beans
			
 
				+			https://www.springframework.org/schema/beans/spring-beans.xsd">
			
 
				+
			
 
				+	<http auto-config="true" security-context-holder-strategy-ref="ref">
			
 
				+		<intercept-url pattern="/**" access="authenticated"/>
			
 
				+		<saml2-login/>
			
 
				+		<saml2-logout/>
			
 
				+	</http>
			
 
				+
			
 
				+	<b:bean id="ref" class="org.mockito.Mockito" factory-method="spy">
			
 
				+		<b:constructor-arg>
			
 
				+			<b:bean class="org.springframework.security.config.MockSecurityContextHolderStrategy"/>
			
 
				+		</b:constructor-arg>
			
 
				+	</b:bean>
			
 
				+
			
 
				+	<b:import resource="userservice.xml"/>
			
 
				+	<b:import resource="../saml2/logout-registrations.xml"/>
			
 
				+</b:beans>