Inicio Explorar Axuda
Rexistro Iniciar sesión
github
/
spring-security
réplica de https://github.com/spring-projects/spring-security
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: 40a18fe63c
Ramas Etiquetas
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
migration-7
/
saml2.adoc

saml2.adoc 6.3 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165 
  1. = Saml 2.0 Migrations
    2. 

  2. 

  3. == Continue Filter Chain When No Relying Party Found
    4. 

  4. 

  5. In Spring Security 6, `Saml2WebSsoAuthenticationFilter` throws an exception when the request URI matches, but no relying party registration is found.
    6. 

  6. 

  7. There are a number of cases when an application would not consider this an error situation.
    8. 

  8. For example, this filter doesn't know how the `AuthorizationFilter` will respond to a missing relying party.
    9. 

  9. In some cases it may be allowable.
    10. 

  10. 

  11. In other cases, you may want your `AuthenticationEntryPoint` to be invoked, which would happen if this filter were to allow the request to continue to the `AuthorizationFilter`.
    12. 

  12. 

  13. To improve this filter's flexibility, in Spring Security 7 it will continue the filter chain when there is no relying party registration found instead of throwing an exception.
    14. 

  14. 

  15. For many applications, the only notable change will be that your `authenticationEntryPoint` will be invoked if the relying party registration cannot be found.
    16. 

  16. When you have only one asserting party, this means by default a new authentication request will be built and sent back to the asserting party, which may cause a "Too Many Redirects" loop.
    17. 

  17. 

  18. To see if you are affected in this way, you can prepare for this change in 6 by setting the following property in `Saml2WebSsoAuthenticationFilter`:
    19. 

  19. 

  20. [tabs]
    21. 

  21. ======
    22. 

  22. Java::
    23. 

  23. +
    24. 

  24. [source,java,role="primary"]
    25. 

  25. ----
    26. 

  26. http
    27. 

  27.     .saml2Login((saml2) -> saml2
    28. 

  28.         .withObjectPostProcessor(new ObjectPostProcessor<Saml2WebSsoAuhenticaionFilter>() {
    29. 

  29. 			@Override
    30. 

  30.             public Saml2WebSsoAuthenticationFilter postProcess(Saml2WebSsoAuthenticationFilter filter) {
    31. 

  31. 				filter.setContinueChainWhenNoRelyingPartyRegistrationFound(true);
    32. 

  32. 				return filter;
    33. 

  33.             }
    34. 

  34.         })
    35. 

  35.     )
    36. 

  36. ----
    37. 

  37. 

  38. Kotlin::
    39. 

  39. +
    40. 

  40. [source,kotlin,role="secondary"]
    41. 

  41. ----
    42. 

  42. http {
    43. 

  43.     saml2Login { }
    44. 

  44.     withObjectPostProcessor(
    45. 

  45.         object : ObjectPostProcessor<Saml2WebSsoAuhenticaionFilter?>() {
    46. 

  46.             override fun postProcess(filter: Saml2WebSsoAuthenticationFilter): Saml2WebSsoAuthenticationFilter {
    47. 

  47.             filter.setContinueChainWhenNoRelyingPartyRegistrationFound(true)
    48. 

  48.             return filter
    49. 

  49.         }
    50. 

  50.     })
    51. 

  51. }
    52. 

  52. ----
    53. 

  53. 

  54. Xml::
    55. 

  55. +
    56. 

  56. [source,xml,role="secondary"]
    57. 

  57. ----
    58. 

  58. <b:bean id="saml2PostProcessor" class="org.example.MySaml2WebSsoAuthenticationFilterBeanPostProcessor"/>
    59. 

  59. ----
    60. 

  60. ======
    61. 

  61. 

  62. == Validate Response After Validating Assertions
    63. 

  63. 

  64. In Spring Security 6, the order of authenticating a `<saml2:Response>` is as follows:
    65. 

  65. 

  66. 1. Verify the Response Signature, if any
    67. 

  67. 2. Decrypt the Response
    68. 

  68. 3. Validate Response attributes, like Destination and Issuer
    69. 

  69. 4. For each assertion, verify the signature, decrypt, and then validate its fields
    70. 

  70. 5. Check to ensure that the response has at least one assertion with a name field
    71. 

  71. 

  72. This ordering sometimes poses challenges since some response validation is being done in Step 3 and some in Step 5.
    73. 

  73. Specifically, this poses a chellenge when an application doesn't have a name field and doesn't need it to be validated.
    74. 

  74. 

  75. In Spring Security 7, this is simplified by moving response validation to after assertion validation and combining the two separate validation steps 3 and 5.
    76. 

  76. When this is complete, response validation will no longer check for the existence of the `NameID` attribute and rely on ``ResponseAuthenticationConverter``s to do this.
    77. 

  77. 

  78. This will add support ``ResponseAuthenticationConverter``s that don't use the `NameID` element in their `Authentication` instance and so don't need it validated.
    79. 

  79. 

  80. To opt-in to this behavior in advance, use `OpenSaml5AuthenticationProvider#setValidateResponseAfterAssertions` to `true` like so:
    81. 

  81. 

  82. [tabs]
    83. 

  83. ======
    84. 

  84. Java::
    85. 

  85. +
    86. 

  86. [source,java,role="primary"]
    87. 

  87. ----
    88. 

  88. OpenSaml5AuthenticationProvider provider = new OpenSaml5AuthenticationProvider();
    89. 

  89. provider.setValidateResponseAfterAssertions(true);
    90. 

  90. ----
    91. 

  91. 

  92. Kotlin::
    93. 

  93. +
    94. 

  94. [source,kotlin,role="secondary"]
    95. 

  95. ----
    96. 

  96. val provider = OpenSaml5AuthenticationProvider()
    97. 

  97. provider.setValidateResponseAfterAssertions(true)
    98. 

  98. ----
    99. 

  99. ======
    100. 

  100. 

  101. This will change the authentication steps as follows:
    102. 

  102. 

  103. 1. Verify the Response Signature, if any
    104. 

  104. 2. Decrypt the Response
    105. 

  105. 3. For each assertion, verify the signature, decrypt, and then validate its fields
    106. 

  106. 4. Validate Response attributes, like Destination and Issuer
    107. 

  107. 

  108. Note that if you have a custom response authentication converter, then you are now responsible to check if the `NameID` element exists in the event that you need it.
    109. 

  109. 

  110. Alternatively to updating your response authentication converter, you can specify a custom `ResponseValidator` that adds back in the check for the `NameID` element as follows:
    111. 

  111. 

  112. [tabs]
    113. 

  113. ======
    114. 

  114. Java::
    115. 

  115. +
    116. 

  116. [source,java,role="primary"]
    117. 

  117. ----
    118. 

  118. OpenSaml5AuthenticationProvider provider = new OpenSaml5AuthenticationProvider();
    119. 

  119. provider.setValidateResponseAfterAssertions(true);
    120. 

  120. ResponseValidator responseValidator = ResponseValidator.withDefaults((responseToken) -> {
    121. 

  121. 	Response response = responseToken.getResponse();
    122. 

  122. 	Assertion assertion = CollectionUtils.firstElement(response.getAssertions());
    123. 

  123. 	Saml2Error error = new Saml2Error(Saml2ErrorCodes.SUBJECT_NOT_FOUND,
    124. 

  124.             "Assertion [" + firstAssertion.getID() + "] is missing a subject");
    125. 

  125. 	Saml2ResponseValidationResult failed = Saml2ResponseValidationResult.failure(error);
    126. 

  126. 	if (assertion.getSubject() == null) {
    127. 

  127. 		return failed;
    128. 

  128. 	}
    129. 

  129. 	if (assertion.getSubject().getNameID() == null) {
    130. 

  130. 		return failed;
    131. 

  131. 	}
    132. 

  132. 	if (assertion.getSubject().getNameID().getValue() == null) {
    133. 

  133. 		return failed;
    134. 

  134. 	}
    135. 

  135. 	return Saml2ResponseValidationResult.success();
    136. 

  136. });
    137. 

  137. provider.setResponseValidator(responseValidator);
    138. 

  138. ----
    139. 

  139. 

  140. Kotlin::
    141. 

  141. +
    142. 

  142. [source,kotlin,role="secondary"]
    143. 

  143. ----
    144. 

  144. val provider = OpenSaml5AuthenticationProvider()
    145. 

  145. provider.setValidateResponseAfterAssertions(true)
    146. 

  146. val responseValidator = ResponseValidator.withDefaults { responseToken: ResponseToken ->
    147. 

  147. 	val response = responseToken.getResponse()
    148. 

  148. 	val assertion = CollectionUtils.firstElement(response.getAssertions())
    149. 

  149. 	val error = Saml2Error(Saml2ErrorCodes.SUBJECT_NOT_FOUND,
    150. 

  150.         "Assertion [" + firstAssertion.getID() + "] is missing a subject")
    151. 

  151. 	val failed = Saml2ResponseValidationResult.failure(error)
    152. 

  152. 	if (assertion.getSubject() == null) {
    153. 

  153.         return@withDefaults failed
    154. 

  154. 	}
    155. 

  155. 	if (assertion.getSubject().getNameID() == null) {
    156. 

  156. 		return@withDefaults failed
    157. 

  157. 	}
    158. 

  158. 	if (assertion.getSubject().getNameID().getValue() == null) {
    159. 

  159. 		return@withDefaults failed
    160. 

  160. 	}
    161. 

  161. 	return@withDefaults Saml2ResponseValidationResult.success()
    162. 

  162. }
    163. 

  163. provider.setResponseValidator(responseValidator)
    164. 

  164. ----
    165. 

  165. ======
    166.