Examples with Saml2LogoutResponse org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse used on opensource projects

Example 1 with Saml2LogoutResponse

use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse in project spring-security by spring-projects.

the class Saml2LogoutRequestFilter method doFilterInternal.

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
    if (!this.logoutRequestMatcher.matches(request)) {
        chain.doFilter(request, response);
        return;
    }
    if (request.getParameter(Saml2ParameterNames.SAML_REQUEST) == null) {
        chain.doFilter(request, response);
        return;
    }
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, getRegistrationId(authentication));
    if (registration == null) {
        this.logger.trace("Did not process logout request since failed to find associated RelyingPartyRegistration");
        response.sendError(HttpServletResponse.SC_BAD_REQUEST);
        return;
    }
    if (registration.getSingleLogoutServiceLocation() == null) {
        this.logger.trace("Did not process logout request since RelyingPartyRegistration has not been configured with a logout request endpoint");
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        return;
    }
    if (!isCorrectBinding(request, registration)) {
        this.logger.trace("Did not process logout request since used incorrect binding");
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        return;
    }
    String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
    Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration).samlRequest(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE)).binding(registration.getSingleLogoutServiceBinding()).location(registration.getSingleLogoutServiceLocation()).parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG, request.getParameter(Saml2ParameterNames.SIG_ALG))).parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE, request.getParameter(Saml2ParameterNames.SIGNATURE))).build();
    Saml2LogoutRequestValidatorParameters parameters = new Saml2LogoutRequestValidatorParameters(logoutRequest, registration, authentication);
    Saml2LogoutValidatorResult result = this.logoutRequestValidator.validate(parameters);
    if (result.hasErrors()) {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, result.getErrors().iterator().next().toString());
        this.logger.debug(LogMessage.format("Failed to validate LogoutRequest: %s", result.getErrors()));
        return;
    }
    this.handler.logout(request, response, authentication);
    Saml2LogoutResponse logoutResponse = this.logoutResponseResolver.resolve(request, authentication);
    if (logoutResponse == null) {
        this.logger.trace("Returning 401 since no logout response generated");
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        return;
    }
    if (logoutResponse.getBinding() == Saml2MessageBinding.REDIRECT) {
        doRedirect(request, response, logoutResponse);
    } else {
        doPost(response, logoutResponse);
    }
}

Example 2 with Saml2LogoutResponse

use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse in project spring-security by spring-projects.

the class OpenSamlLogoutResponseValidatorTests method handleWhenMismatchedDestinationThenInvalidDestinationError.

@Test
public void handleWhenMismatchedDestinationThenInvalidDestinationError() {
    RelyingPartyRegistration registration = registration().build();
    Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration).id("id").build();
    LogoutResponse logoutResponse = TestOpenSamlObjects.assertingPartyLogoutResponse(registration);
    logoutResponse.setDestination("wrong");
    sign(logoutResponse, registration);
    Saml2LogoutResponse response = post(logoutResponse, registration);
    Saml2LogoutResponseValidatorParameters parameters = new Saml2LogoutResponseValidatorParameters(response, logoutRequest, registration);
    Saml2LogoutValidatorResult result = this.manager.validate(parameters);
    assertThat(result.hasErrors()).isTrue();
    assertThat(result.getErrors().iterator().next().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_DESTINATION);
}

Example 3 with Saml2LogoutResponse

use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse in project spring-security by spring-projects.

the class Saml2LogoutResponseFilter method doFilterInternal.

/**
 * {@inheritDoc}
 */
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
    if (!this.logoutRequestMatcher.matches(request)) {
        chain.doFilter(request, response);
        return;
    }
    if (request.getParameter(Saml2ParameterNames.SAML_RESPONSE) == null) {
        chain.doFilter(request, response);
        return;
    }
    Saml2LogoutRequest logoutRequest = this.logoutRequestRepository.removeLogoutRequest(request, response);
    if (logoutRequest == null) {
        this.logger.trace("Did not process logout response since could not find associated LogoutRequest");
        response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Failed to find associated LogoutRequest");
        return;
    }
    RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, logoutRequest.getRelyingPartyRegistrationId());
    if (registration == null) {
        this.logger.trace("Did not process logout request since failed to find associated RelyingPartyRegistration");
        Saml2Error error = new Saml2Error(Saml2ErrorCodes.RELYING_PARTY_REGISTRATION_NOT_FOUND, "Failed to find associated RelyingPartyRegistration");
        response.sendError(HttpServletResponse.SC_BAD_REQUEST, error.toString());
        return;
    }
    if (registration.getSingleLogoutServiceResponseLocation() == null) {
        this.logger.trace("Did not process logout response since RelyingPartyRegistration has not been configured with a logout response endpoint");
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        return;
    }
    if (!isCorrectBinding(request, registration)) {
        this.logger.trace("Did not process logout request since used incorrect binding");
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        return;
    }
    String serialized = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
    Saml2LogoutResponse logoutResponse = Saml2LogoutResponse.withRelyingPartyRegistration(registration).samlResponse(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE)).binding(registration.getSingleLogoutServiceBinding()).location(registration.getSingleLogoutServiceResponseLocation()).parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG, request.getParameter(Saml2ParameterNames.SIG_ALG))).parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE, request.getParameter(Saml2ParameterNames.SIGNATURE))).build();
    Saml2LogoutResponseValidatorParameters parameters = new Saml2LogoutResponseValidatorParameters(logoutResponse, logoutRequest, registration);
    Saml2LogoutValidatorResult result = this.logoutResponseValidator.validate(parameters);
    if (result.hasErrors()) {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, result.getErrors().iterator().next().toString());
        this.logger.debug(LogMessage.format("Failed to validate LogoutResponse: %s", result.getErrors()));
        return;
    }
    this.logoutSuccessHandler.onLogoutSuccess(request, response, null);
}

Example 4 with Saml2LogoutResponse

use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse in project spring-security by spring-projects.

the class OpenSamlLogoutResponseResolverTests method resolvePostWhenAuthenticatedThenSuccess.

@Test
public void resolvePostWhenAuthenticatedThenSuccess() {
    RelyingPartyRegistration registration = TestRelyingPartyRegistrations.full().assertingPartyDetails((party) -> party.singleLogoutServiceBinding(Saml2MessageBinding.POST)).build();
    MockHttpServletRequest request = new MockHttpServletRequest();
    LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
    request.setParameter(Saml2ParameterNames.SAML_REQUEST, Saml2Utils.samlEncode(OpenSamlSigningUtils.serialize(logoutRequest).getBytes()));
    request.setParameter(Saml2ParameterNames.RELAY_STATE, "abcd");
    Authentication authentication = authentication(registration);
    given(this.relyingPartyRegistrationResolver.resolve(any(), any())).willReturn(registration);
    Saml2LogoutResponse saml2LogoutResponse = this.logoutResponseResolver.resolve(request, authentication);
    assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIG_ALG)).isNull();
    assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.SIGNATURE)).isNull();
    assertThat(saml2LogoutResponse.getParameter(Saml2ParameterNames.RELAY_STATE)).isSameAs("abcd");
    Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleLogoutServiceBinding();
    LogoutResponse logoutResponse = getLogoutResponse(saml2LogoutResponse.getSamlResponse(), binding);
    assertThat(logoutResponse.getStatus().getStatusCode().getValue()).isEqualTo(StatusCode.SUCCESS);
}

Example 5 with Saml2LogoutResponse

use of org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse in project spring-security by spring-projects.

the class Saml2LogoutConfigurerTests method saml2LogoutRequestWhenCustomLogoutRequestHandlerThenUses.

@Test
public void saml2LogoutRequestWhenCustomLogoutRequestHandlerThenUses() throws Exception {
    this.spring.register(Saml2LogoutComponentsConfig.class).autowire();
    RelyingPartyRegistration registration = this.repository.findByRegistrationId("registration-id");
    LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequest(registration);
    logoutRequest.setIssueInstant(Instant.now());
    given(getBean(Saml2LogoutRequestValidator.class).validate(any())).willReturn(Saml2LogoutValidatorResult.success());
    Saml2LogoutResponse logoutResponse = Saml2LogoutResponse.withRelyingPartyRegistration(registration).build();
    given(getBean(Saml2LogoutResponseResolver.class).resolve(any(), any())).willReturn(logoutResponse);
    this.mvc.perform(post("/logout/saml2/slo").param("SAMLRequest", "samlRequest").with(authentication(this.user))).andReturn();
    verify(getBean(Saml2LogoutRequestValidator.class)).validate(any());
    verify(getBean(Saml2LogoutResponseResolver.class)).resolve(any(), any());
}