Example 1 with Saml2LogoutRequest
use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest in project spring-security by spring-projects.
the class Saml2LogoutRequestFilter method doFilterInternal.
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
if (!this.logoutRequestMatcher.matches(request)) {
chain.doFilter(request, response);
return;
}
if (request.getParameter(Saml2ParameterNames.SAML_REQUEST) == null) {
chain.doFilter(request, response);
return;
}
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, getRegistrationId(authentication));
if (registration == null) {
this.logger.trace("Did not process logout request since failed to find associated RelyingPartyRegistration");
response.sendError(HttpServletResponse.SC_BAD_REQUEST);
return;
}
if (registration.getSingleLogoutServiceLocation() == null) {
this.logger.trace("Did not process logout request since RelyingPartyRegistration has not been configured with a logout request endpoint");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
if (!isCorrectBinding(request, registration)) {
this.logger.trace("Did not process logout request since used incorrect binding");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration).samlRequest(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE)).binding(registration.getSingleLogoutServiceBinding()).location(registration.getSingleLogoutServiceLocation()).parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG, request.getParameter(Saml2ParameterNames.SIG_ALG))).parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE, request.getParameter(Saml2ParameterNames.SIGNATURE))).build();
Saml2LogoutRequestValidatorParameters parameters = new Saml2LogoutRequestValidatorParameters(logoutRequest, registration, authentication);
Saml2LogoutValidatorResult result = this.logoutRequestValidator.validate(parameters);
if (result.hasErrors()) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, result.getErrors().iterator().next().toString());
this.logger.debug(LogMessage.format("Failed to validate LogoutRequest: %s", result.getErrors()));
return;
}
this.handler.logout(request, response, authentication);
Saml2LogoutResponse logoutResponse = this.logoutResponseResolver.resolve(request, authentication);
if (logoutResponse == null) {
this.logger.trace("Returning 401 since no logout response generated");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
if (logoutResponse.getBinding() == Saml2MessageBinding.REDIRECT) {
doRedirect(request, response, logoutResponse);
} else {
doPost(response, logoutResponse);
}
}
Also used :
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
UriComponentsBuilder(org.springframework.web.util.UriComponentsBuilder)
HttpServletRequest(jakarta.servlet.http.HttpServletRequest)
DefaultRedirectStrategy(org.springframework.security.web.DefaultRedirectStrategy)
OncePerRequestFilter(org.springframework.web.filter.OncePerRequestFilter)
ServletException(jakarta.servlet.ServletException)
Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse)
Function(java.util.function.Function)
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
RedirectStrategy(org.springframework.security.web.RedirectStrategy)
HtmlUtils(org.springframework.web.util.HtmlUtils)
Saml2MessageBinding(org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)
LogMessage(org.springframework.core.log.LogMessage)
Saml2LogoutRequestValidator(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator)
CompositeLogoutHandler(org.springframework.security.web.authentication.logout.CompositeLogoutHandler)
SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder)
RelyingPartyRegistrationResolver(org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver)
MediaType(org.springframework.http.MediaType)
FilterChain(jakarta.servlet.FilterChain)
IOException(java.io.IOException)
RequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher)
StandardCharsets(java.nio.charset.StandardCharsets)
Saml2LogoutValidatorResult(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult)
Saml2ParameterNames(org.springframework.security.saml2.core.Saml2ParameterNames)
LogoutHandler(org.springframework.security.web.authentication.logout.LogoutHandler)
UriUtils(org.springframework.web.util.UriUtils)
Log(org.apache.commons.logging.Log)
Saml2LogoutRequestValidatorParameters(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidatorParameters)
HttpServletResponse(jakarta.servlet.http.HttpServletResponse)
LogFactory(org.apache.commons.logging.LogFactory)
Authentication(org.springframework.security.core.Authentication)
Saml2AuthenticatedPrincipal(org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal)
Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)
AntPathRequestMatcher(org.springframework.security.web.util.matcher.AntPathRequestMatcher)
Assert(org.springframework.util.Assert)
StringUtils(org.springframework.util.StringUtils)
Saml2LogoutValidatorResult(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult)
Saml2LogoutRequestValidatorParameters(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidatorParameters)
Authentication(org.springframework.security.core.Authentication)
Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)
Saml2LogoutResponse(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse)
Example 2 with Saml2LogoutRequest
use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest in project spring-security by spring-projects.
the class OpenSamlLogoutResponseValidatorTests method handleWhenMismatchedDestinationThenInvalidDestinationError.
@Test
public void handleWhenMismatchedDestinationThenInvalidDestinationError() {
RelyingPartyRegistration registration = registration().build();
Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration).id("id").build();
LogoutResponse logoutResponse = TestOpenSamlObjects.assertingPartyLogoutResponse(registration);
logoutResponse.setDestination("wrong");
sign(logoutResponse, registration);
Saml2LogoutResponse response = post(logoutResponse, registration);
Saml2LogoutResponseValidatorParameters parameters = new Saml2LogoutResponseValidatorParameters(response, logoutRequest, registration);
Saml2LogoutValidatorResult result = this.manager.validate(parameters);
assertThat(result.hasErrors()).isTrue();
assertThat(result.getErrors().iterator().next().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_DESTINATION);
}
Also used :
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
Test(org.junit.jupiter.api.Test)
Example 3 with Saml2LogoutRequest
use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest in project spring-security by spring-projects.
the class OpenSaml3LogoutRequestResolverTests method resolveWhenCustomParametersConsumerThenUses.
@Test
public void resolveWhenCustomParametersConsumerThenUses() {
OpenSaml3LogoutRequestResolver logoutRequestResolver = new OpenSaml3LogoutRequestResolver(this.relyingPartyRegistrationResolver);
logoutRequestResolver.setParametersConsumer((parameters) -> parameters.getLogoutRequest().setID("myid"));
HttpServletRequest request = new MockHttpServletRequest();
RelyingPartyRegistration registration = TestRelyingPartyRegistrations.relyingPartyRegistration().assertingPartyDetails((party) -> party.singleLogoutServiceLocation("https://ap.example.com/logout")).build();
Authentication authentication = new TestingAuthenticationToken("user", "password");
given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
Saml2LogoutRequest logoutRequest = logoutRequestResolver.resolve(request, authentication);
assertThat(logoutRequest.getId()).isEqualTo("myid");
}
Also used :
HttpServletRequest(jakarta.servlet.http.HttpServletRequest)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
HttpServletRequest(jakarta.servlet.http.HttpServletRequest)
TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken)
RelyingPartyRegistrationResolver(org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver)
Assertions.assertThat(org.assertj.core.api.Assertions.assertThat)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
Test(org.junit.jupiter.api.Test)
BDDMockito.given(org.mockito.BDDMockito.given)
Assertions.assertThatExceptionOfType(org.assertj.core.api.Assertions.assertThatExceptionOfType)
Authentication(org.springframework.security.core.Authentication)
Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)
TestRelyingPartyRegistrations(org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations)
Mockito.mock(org.mockito.Mockito.mock)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
Authentication(org.springframework.security.core.Authentication)
Saml2LogoutRequest(org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)
TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken)
Test(org.junit.jupiter.api.Test)
Example 4 with Saml2LogoutRequest
use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest in project spring-security by spring-projects.
the class OpenSamlLogoutRequestValidatorTests method handleWhenNameIdIsEncryptedIdPostThenValidates.
@Test
public void handleWhenNameIdIsEncryptedIdPostThenValidates() {
RelyingPartyRegistration registration = decrypting(encrypting(registration())).build();
LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequestNameIdInEncryptedId(registration);
sign(logoutRequest, registration);
Saml2LogoutRequest request = post(logoutRequest, registration);
Saml2LogoutRequestValidatorParameters parameters = new Saml2LogoutRequestValidatorParameters(request, registration, authentication(registration));
Saml2LogoutValidatorResult result = this.manager.validate(parameters);
assertThat(result.hasErrors()).withFailMessage(() -> result.getErrors().toString()).isFalse();
}
Also used :
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
Test(org.junit.jupiter.api.Test)
Example 5 with Saml2LogoutRequest
use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest in project spring-security by spring-projects.
the class OpenSamlLogoutRequestValidatorTests method handleWhenMismatchedDestinationThenInvalidDestinationError.
@Test
public void handleWhenMismatchedDestinationThenInvalidDestinationError() {
RelyingPartyRegistration registration = registration().build();
LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
logoutRequest.setDestination("wrong");
sign(logoutRequest, registration);
Saml2LogoutRequest request = post(logoutRequest, registration);
Saml2LogoutRequestValidatorParameters parameters = new Saml2LogoutRequestValidatorParameters(request, registration, authentication(registration));
Saml2LogoutValidatorResult result = this.manager.validate(parameters);
assertThat(result.hasErrors()).isTrue();
assertThat(result.getErrors().iterator().next().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_DESTINATION);
}
Also used :
RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)
LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)
Test(org.junit.jupiter.api.Test)
Aggregations
Test (org.junit.jupiter.api.Test)40
Saml2LogoutRequest (org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest)34
RelyingPartyRegistration (org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)31
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)27
MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)22
LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)15
Authentication (org.springframework.security.core.Authentication)12
Saml2MessageBinding (org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding)12
Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)10
TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)10
Saml2Authentication (org.springframework.security.saml2.provider.service.authentication.Saml2Authentication)10
TestRelyingPartyRegistrations (org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations)10
StandardCharsets (java.nio.charset.StandardCharsets)9
ArgumentMatchers.any (org.mockito.ArgumentMatchers.any)8
BDDMockito.given (org.mockito.BDDMockito.given)8
Saml2ParameterNames (org.springframework.security.saml2.core.Saml2ParameterNames)7
DefaultSaml2AuthenticatedPrincipal (org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal)7
HttpServletRequest (jakarta.servlet.http.HttpServletRequest)6
AfterEach (org.junit.jupiter.api.AfterEach)5
BeforeEach (org.junit.jupiter.api.BeforeEach)5
