Allow SAML 2.0 loginProcessingURL without registrationId

Closes gh-10176

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -167,10 +167,19 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		return this;
 	}
 
+	/**
+	 * Specifies the URL to validate the credentials. If specified a custom URL, consider
+	 * specifying a custom {@link AuthenticationConverter} via
+	 * {@link #authenticationConverter(AuthenticationConverter)}, since the default
+	 * {@link AuthenticationConverter} implementation relies on the
+	 * <code>{registrationId}</code> path variable to be present in the URL
+	 * @param loginProcessingUrl the URL to validate the credentials
+	 * @return the {@link Saml2LoginConfigurer} for additional customization
+	 * @see Saml2WebSsoAuthenticationFilter#DEFAULT_FILTER_PROCESSES_URI
+	 */
 	@Override
 	public Saml2LoginConfigurer<B> loginProcessingUrl(String loginProcessingUrl) {
 		Assert.hasText(loginProcessingUrl, "loginProcessingUrl cannot be empty");
-		Assert.state(loginProcessingUrl.contains("{registrationId}"), "{registrationId} path variable is required");
 		this.loginProcessingUrl = loginProcessingUrl;
 		return this;
 	}
@@ -249,6 +258,8 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 
 	private AuthenticationConverter getAuthenticationConverter(B http) {
 		if (this.authenticationConverter == null) {
+			Assert.state(this.loginProcessingUrl.contains("{registrationId}"),
+					"loginProcessingUrl must contain {registrationId} path variable");
 			return new Saml2AuthenticationTokenConverter(
 					new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository));
 		}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilter.java

@@ -63,23 +63,21 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce
 			String filterProcessesUrl) {
 		this(new Saml2AuthenticationTokenConverter(
 				new DefaultRelyingPartyRegistrationResolver(relyingPartyRegistrationRepository)), filterProcessesUrl);
+		Assert.isTrue(filterProcessesUrl.contains("{registrationId}"),
+				"filterProcessesUrl must contain a {registrationId} match variable");
 	}
 
 	/**
 	 * Creates a {@link Saml2WebSsoAuthenticationFilter} given the provided parameters
 	 * @param authenticationConverter the strategy for converting an
 	 * {@link HttpServletRequest} into an {@link Authentication}
-	 * @param filterProcessingUrl the processing URL, must contain a {registrationId}
-	 * variable
+	 * @param filterProcessesUrl the processing URL
 	 * @since 5.4
 	 */
-	public Saml2WebSsoAuthenticationFilter(AuthenticationConverter authenticationConverter,
-			String filterProcessingUrl) {
-		super(filterProcessingUrl);
+	public Saml2WebSsoAuthenticationFilter(AuthenticationConverter authenticationConverter, String filterProcessesUrl) {
+		super(filterProcessesUrl);
 		Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
-		Assert.hasText(filterProcessingUrl, "filterProcessesUrl must contain a URL pattern");
-		Assert.isTrue(filterProcessingUrl.contains("{registrationId}"),
-				"filterProcessesUrl must contain a {registrationId} match variable");
+		Assert.hasText(filterProcessesUrl, "filterProcessesUrl must contain a URL pattern");
 		this.authenticationConverter = authenticationConverter;
 		setAllowSessionCreation(true);
 		setSessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy());

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilterTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@ import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.web.authentication.AuthenticationConverter;
 
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.mockito.BDDMockito.given;
@@ -60,6 +61,12 @@ public class Saml2WebSsoAuthenticationFilterTests {
 		this.filter = new Saml2WebSsoAuthenticationFilter(this.repository, "/url/variable/is/present/{registrationId}");
 	}
 
+	@Test
+	public void constructingFilterWithMissingRegistrationIdVariableAndCustomAuthenticationConverterThenSucceeds() {
+		AuthenticationConverter authenticationConverter = mock(AuthenticationConverter.class);
+		this.filter = new Saml2WebSsoAuthenticationFilter(authenticationConverter, "/url/missing/variable");
+	}
+
 	@Test
 	public void requiresAuthenticationWhenHappyPathThenReturnsTrue() {
 		Assert.assertTrue(this.filter.requiresAuthentication(this.request, this.response));