Skip to content
This repository has been archived by the owner on Nov 29, 2022. It is now read-only.

Issue/466/handle auth details #467

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Issue/466/handle auth details #467

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8da7126
Fix issue #466
Nov 15, 2019
3f4a432
Fix issue #466
Nov 15, 2019
fd5a662
Merge remote-tracking branch 'origin/issue/466/handle-auth-details' i…
Nov 15, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion core/src/main/java/org/springframework/security/saml/SAMLAuthenticationProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ public Authentication authenticate(Authentication authentication) throws Authent

SAMLCredential authenticationCredential = excludeCredential ? null : credential;
ExpiringUsernameAuthenticationToken result = new ExpiringUsernameAuthenticationToken(expiration, principal, authenticationCredential, entitlements);
result.setDetails(userDetails);
result.setDetails(authentication.getDetails());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sadly, I don't think that we can main this change inside of a maintenance release since it's possible that there are applications that are calling getDetails and expecting the userDetails object to come back. By changing it to the result of AuthenticationDetailsSource, we'd break those applications.

Instead, what an application would probably need to do is create a custom authentication provider like so:

public class MyAuthenticationProvider implements AuthenticationProvider {
    private final SAMLAuthenticationProvider delegate;

    // .. constructor

    @Override
    public Authentication authenticate(Authentication authentication) {
        ExpiringUsernameAuthenticationToken result = (ExpiringUsernameAuthenticationToken) 
                this.delegate.authenticate(authentication);
        result.setDetails(authentication.getDetails());
        return result;
    }
}


samlLogger.log(SAMLConstants.AUTH_N_RESPONSE, SAMLConstants.SUCCESS, context, result, null);

Expand Down
17 changes: 17 additions & 0 deletions core/src/main/java/org/springframework/security/saml/SAMLProcessingFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,10 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
context.setLocalEntityEndpoint(SAMLUtil.getEndpoint(context.getLocalEntityRoleMetadata().getEndpoints(), context.getInboundSAMLBinding(), context.getInboundMessageTransport(), uriComparator));

SAMLAuthenticationToken token = new SAMLAuthenticationToken(context);

// Allow subclasses to set the "details" property
setDetails(request, token);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In lieu of calling a new method here, I'd recommend it simply call this.token.setDetails(details) directly.


return getAuthenticationManager().authenticate(token);

} catch (SAMLException e) {
Expand All @@ -107,6 +111,19 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ

}

/**
* Provided so that subclasses may configure what is put into the authentication
* request's details property.
*
* @param request that an authentication request is being created for
* @param authRequest the authentication request object that should have its details
* set
*/
protected void setDetails(HttpServletRequest request,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't want to introduce a new API in a maintenance release. Since no further minor releases are planned, let's leave this out.

Truthfully, it's likely not needed anyway since the user already gets full control by wiring an AuthenticationDetailsSource.

SAMLAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}

/**
* Name of the profile this used for authentication.
*
Expand Down
5 changes: 4 additions & 1 deletion core/src/test/java/org/springframework/security/saml/SAMLAuthenticationProviderTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,8 @@ public void testAuthenticateUserDetails() throws Exception {
provider.setUserDetails(details);

SAMLAuthenticationToken token = new SAMLAuthenticationToken(context);
Object authenticationDetails = new Object();
token.setDetails(authenticationDetails);
SAMLCredential result = new SAMLCredential(nameID, assertion, "IDP", "localSP");

expect(consumer.processAuthenticationResponse(context)).andReturn(result);
Expand All @@ -135,6 +137,7 @@ public void testAuthenticateUserDetails() throws Exception {
assertEquals(user, authentication.getPrincipal());
assertEquals(user.getUsername(), authentication.getName());
assertNotNull(authentication.getDetails());
assertEquals(authenticationDetails, authentication.getDetails());
assertEquals(2, authentication.getAuthorities().size());
assertTrue(authentication.getAuthorities().contains(new SimpleGrantedAuthority("role1")));
assertTrue(authentication.getAuthorities().contains(new SimpleGrantedAuthority("role2")));
Expand Down Expand Up @@ -175,4 +178,4 @@ private void verifyMock() {
verify(nameID);
verify(assertion);
}
}
}
4 changes: 3 additions & 1 deletion core/src/test/java/org/springframework/security/saml/SAMLProcessingFilterTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,8 @@ public void testCorrectPass() throws Exception {
final Capture<SAMLMessageContext> context = new Capture<SAMLMessageContext>();
expect(request.getRequestURL()).andReturn(new StringBuffer("http://localhost:8081/spring-security-saml2-webapp/saml/SSO"));
expect(request.getQueryString()).andReturn(null);
expect(request.getRemoteAddr()).andReturn(null);
expect(request.getSession(false)).andReturn(null);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check the whitespacing here.

expect(processor.retrieveMessage(capture(context))).andAnswer(new IAnswer<SAMLMessageContext>() {
public SAMLMessageContext answer() throws Throwable {
context.getValue().setInboundSAMLBinding(org.opensaml.common.xml.SAMLConstants.SAML2_POST_BINDING_URI);
Expand Down Expand Up @@ -230,4 +232,4 @@ private void verifyMock() {
verify(processor);
verify(session);
}
}
}