Search in sources :

Example 1 with Saml2LogoutRequest

use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest in project spring-security by spring-projects.

the class Saml2LogoutRequestFilter method doFilterInternal.

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
    if (!this.logoutRequestMatcher.matches(request)) {
        chain.doFilter(request, response);
        return;
    }
    if (request.getParameter(Saml2ParameterNames.SAML_REQUEST) == null) {
        chain.doFilter(request, response);
        return;
    }
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, getRegistrationId(authentication));
    if (registration == null) {
        this.logger.trace("Did not process logout request since failed to find associated RelyingPartyRegistration");
        response.sendError(HttpServletResponse.SC_BAD_REQUEST);
        return;
    }
    if (registration.getSingleLogoutServiceLocation() == null) {
        this.logger.trace("Did not process logout request since RelyingPartyRegistration has not been configured with a logout request endpoint");
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        return;
    }
    if (!isCorrectBinding(request, registration)) {
        this.logger.trace("Did not process logout request since used incorrect binding");
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        return;
    }
    String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
    Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration).samlRequest(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE)).binding(registration.getSingleLogoutServiceBinding()).location(registration.getSingleLogoutServiceLocation()).parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG, request.getParameter(Saml2ParameterNames.SIG_ALG))).parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE, request.getParameter(Saml2ParameterNames.SIGNATURE))).build();
    Saml2LogoutRequestValidatorParameters parameters = new Saml2LogoutRequestValidatorParameters(logoutRequest, registration, authentication);
    Saml2LogoutValidatorResult result = this.logoutRequestValidator.validate(parameters);
    if (result.hasErrors()) {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, result.getErrors().iterator().next().toString());
        this.logger.debug(LogMessage.format("Failed to validate LogoutRequest: %s", result.getErrors()));
        return;
    }
    this.handler.logout(request, response, authentication);
    Saml2LogoutResponse logoutResponse = this.logoutResponseResolver.resolve(request, authentication);
    if (logoutResponse == null) {
        this.logger.trace("Returning 401 since no logout response generated");
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        return;
    }
    if (logoutResponse.getBinding() == Saml2MessageBinding.REDIRECT) {
        doRedirect(request, response, logoutResponse);
    } else {
        doPost(response, logoutResponse);
    }
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) UriComponentsBuilder(org.springframework.web.util.UriComponentsBuilder) HttpServletRequest(jakarta.servlet.http.HttpServletRequest) DefaultRedirectStrategy(org.springframework.security.web.DefaultRedirectStrategy) OncePerRequestFilter(org.springframework.web.filter.OncePerRequestFilter) ServletException(jakarta.servlet.ServletException) Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse) Function(java.util.function.Function) RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) RedirectStrategy(org.springframework.security.web.RedirectStrategy) HtmlUtils(org.springframework.web.util.HtmlUtils) Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding) LogMessage(org.springframework.core.log.LogMessage) Saml2LogoutRequestValidator(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator) CompositeLogoutHandler(org.springframework.security.web.authentication.logout.CompositeLogoutHandler) SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder) RelyingPartyRegistrationResolver(org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver) MediaType(org.springframework.http.MediaType) FilterChain(jakarta.servlet.FilterChain) IOException(java.io.IOException) RequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher) StandardCharsets(java.nio.charset.StandardCharsets) Saml2LogoutValidatorResult(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult) Saml2ParameterNames(org.springframework.security.saml2.core.Saml2ParameterNames) LogoutHandler(org.springframework.security.web.authentication.logout.LogoutHandler) UriUtils(org.springframework.web.util.UriUtils) Log(org.apache.commons.logging.Log) Saml2LogoutRequestValidatorParameters(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidatorParameters) HttpServletResponse(jakarta.servlet.http.HttpServletResponse) LogFactory(org.apache.commons.logging.LogFactory) Authentication(org.springframework.security.core.Authentication) Saml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal) Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest) AntPathRequestMatcher(org.springframework.security.web.util.matcher.AntPathRequestMatcher) Assert(org.springframework.util.Assert) StringUtils(org.springframework.util.StringUtils) Saml2LogoutValidatorResult(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult) Saml2LogoutRequestValidatorParameters(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidatorParameters) Authentication(org.springframework.security.core.Authentication) Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest) Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse)

Example 2 with Saml2LogoutRequest

use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest in project spring-security by spring-projects.

the class OpenSamlLogoutResponseValidatorTests method handleWhenMismatchedDestinationThenInvalidDestinationError.

@Test
public void handleWhenMismatchedDestinationThenInvalidDestinationError() {
    RelyingPartyRegistration registration = registration().build();
    Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration).id("id").build();
    LogoutResponse logoutResponse = TestOpenSamlObjects.assertingPartyLogoutResponse(registration);
    logoutResponse.setDestination("wrong");
    sign(logoutResponse, registration);
    Saml2LogoutResponse response = post(logoutResponse, registration);
    Saml2LogoutResponseValidatorParameters parameters = new Saml2LogoutResponseValidatorParameters(response, logoutRequest, registration);
    Saml2LogoutValidatorResult result = this.manager.validate(parameters);
    assertThat(result.hasErrors()).isTrue();
    assertThat(result.getErrors().iterator().next().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_DESTINATION);
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) Test(org.junit.jupiter.api.Test)

Example 3 with Saml2LogoutRequest

use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest in project spring-security by spring-projects.

the class OpenSaml3LogoutRequestResolverTests method resolveWhenCustomParametersConsumerThenUses.

@Test
public void resolveWhenCustomParametersConsumerThenUses() {
    OpenSaml3LogoutRequestResolver logoutRequestResolver = new OpenSaml3LogoutRequestResolver(this.relyingPartyRegistrationResolver);
    logoutRequestResolver.setParametersConsumer((parameters) -> parameters.getLogoutRequest().setID("myid"));
    HttpServletRequest request = new MockHttpServletRequest();
    RelyingPartyRegistration registration = TestRelyingPartyRegistrations.relyingPartyRegistration().assertingPartyDetails((party) -> party.singleLogoutServiceLocation("https://ap.example.com/logout")).build();
    Authentication authentication = new TestingAuthenticationToken("user", "password");
    given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
    Saml2LogoutRequest logoutRequest = logoutRequestResolver.resolve(request, authentication);
    assertThat(logoutRequest.getId()).isEqualTo("myid");
}
Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) HttpServletRequest(jakarta.servlet.http.HttpServletRequest) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) RelyingPartyRegistrationResolver(org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) Test(org.junit.jupiter.api.Test) BDDMockito.given(org.mockito.BDDMockito.given) Assertions.assertThatExceptionOfType(org.assertj.core.api.Assertions.assertThatExceptionOfType) Authentication(org.springframework.security.core.Authentication) Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest) TestRelyingPartyRegistrations(org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations) Mockito.mock(org.mockito.Mockito.mock) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) Authentication(org.springframework.security.core.Authentication) Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest) TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) Test(org.junit.jupiter.api.Test)

Example 4 with Saml2LogoutRequest

use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest in project spring-security by spring-projects.

the class OpenSamlLogoutRequestValidatorTests method handleWhenNameIdIsEncryptedIdPostThenValidates.

@Test
public void handleWhenNameIdIsEncryptedIdPostThenValidates() {
    RelyingPartyRegistration registration = decrypting(encrypting(registration())).build();
    LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequestNameIdInEncryptedId(registration);
    sign(logoutRequest, registration);
    Saml2LogoutRequest request = post(logoutRequest, registration);
    Saml2LogoutRequestValidatorParameters parameters = new Saml2LogoutRequestValidatorParameters(request, registration, authentication(registration));
    Saml2LogoutValidatorResult result = this.manager.validate(parameters);
    assertThat(result.hasErrors()).withFailMessage(() -> result.getErrors().toString()).isFalse();
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) Test(org.junit.jupiter.api.Test)

Example 5 with Saml2LogoutRequest

use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest in project spring-security by spring-projects.

the class OpenSamlLogoutRequestValidatorTests method handleWhenMismatchedDestinationThenInvalidDestinationError.

@Test
public void handleWhenMismatchedDestinationThenInvalidDestinationError() {
    RelyingPartyRegistration registration = registration().build();
    LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
    logoutRequest.setDestination("wrong");
    sign(logoutRequest, registration);
    Saml2LogoutRequest request = post(logoutRequest, registration);
    Saml2LogoutRequestValidatorParameters parameters = new Saml2LogoutRequestValidatorParameters(request, registration, authentication(registration));
    Saml2LogoutValidatorResult result = this.manager.validate(parameters);
    assertThat(result.hasErrors()).isTrue();
    assertThat(result.getErrors().iterator().next().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_DESTINATION);
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) Test(org.junit.jupiter.api.Test)

Aggregations

Test (org.junit.jupiter.api.Test)40 Saml2LogoutRequest (org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)34 RelyingPartyRegistration (org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)31 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)27 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)22 LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)15 Authentication (org.springframework.security.core.Authentication)12 Saml2MessageBinding (org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)12 Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)10 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)10 Saml2Authentication (org.springframework.security.saml2.provider.service.authentication.Saml2Authentication)10 TestRelyingPartyRegistrations (org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations)10 StandardCharsets (java.nio.charset.StandardCharsets)9 ArgumentMatchers.any (org.mockito.ArgumentMatchers.any)8 BDDMockito.given (org.mockito.BDDMockito.given)8 Saml2ParameterNames (org.springframework.security.saml2.core.Saml2ParameterNames)7 DefaultSaml2AuthenticatedPrincipal (org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal)7 HttpServletRequest (jakarta.servlet.http.HttpServletRequest)6 AfterEach (org.junit.jupiter.api.AfterEach)5 BeforeEach (org.junit.jupiter.api.BeforeEach)5