GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add CSRF Exception 

Issue gh-13653
pull/13668/head
Josh Cummings 2 years ago
parent
87ae2d41b3
commit
3ba5cc0e40
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
2 changed files with 31 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 16
      config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java
  2. 22
      saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/Saml2WebSsoAuthenticationFilter.java

16
config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java
Unescape View File

@ -52,6 +52,7 @@ import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher; import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatchers;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
@ -114,7 +115,9 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
private Saml2AuthenticationRequestResolver authenticationRequestResolver; private Saml2AuthenticationRequestResolver authenticationRequestResolver;
private String loginProcessingUrl = Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI; private RequestMatcher loginProcessingUrl = RequestMatchers.anyOf(
new AntPathRequestMatcher(Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI),
new AntPathRequestMatcher("/login/saml2/sso"));
private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository; private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
@ -214,7 +217,7 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
@Override @Override
public Saml2LoginConfigurer<B> loginProcessingUrl(String loginProcessingUrl) { public Saml2LoginConfigurer<B> loginProcessingUrl(String loginProcessingUrl) {
Assert.hasText(loginProcessingUrl, "loginProcessingUrl cannot be empty"); Assert.hasText(loginProcessingUrl, "loginProcessingUrl cannot be empty");
this.loginProcessingUrl = loginProcessingUrl; this.loginProcessingUrl = new AntPathRequestMatcher(loginProcessingUrl);
return this; return this;
} }
@ -240,12 +243,11 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
public void init(B http) throws Exception { public void init(B http) throws Exception {
registerDefaultCsrfOverride(http); registerDefaultCsrfOverride(http);
relyingPartyRegistrationRepository(http); relyingPartyRegistrationRepository(http);
this.saml2WebSsoAuthenticationFilter = new Saml2WebSsoAuthenticationFilter(getAuthenticationConverter(http), this.saml2WebSsoAuthenticationFilter = new Saml2WebSsoAuthenticationFilter(getAuthenticationConverter(http));
this.loginProcessingUrl);
this.saml2WebSsoAuthenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); this.saml2WebSsoAuthenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
this.saml2WebSsoAuthenticationFilter.setRequiresAuthenticationRequestMatcher(this.loginProcessingUrl);
setAuthenticationRequestRepository(http, this.saml2WebSsoAuthenticationFilter); setAuthenticationRequestRepository(http, this.saml2WebSsoAuthenticationFilter);
setAuthenticationFilter(this.saml2WebSsoAuthenticationFilter); setAuthenticationFilter(this.saml2WebSsoAuthenticationFilter);
super.loginProcessingUrl(this.loginProcessingUrl);
if (StringUtils.hasText(this.loginPage)) { if (StringUtils.hasText(this.loginPage)) {
// Set custom login page // Set custom login page
super.loginPage(this.loginPage); super.loginPage(this.loginPage);
@ -352,7 +354,7 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
OpenSamlAuthenticationTokenConverter converter = new OpenSamlAuthenticationTokenConverter( OpenSamlAuthenticationTokenConverter converter = new OpenSamlAuthenticationTokenConverter(
this.relyingPartyRegistrationRepository); this.relyingPartyRegistrationRepository);
converter.setAuthenticationRequestRepository(getAuthenticationRequestRepository(http)); converter.setAuthenticationRequestRepository(getAuthenticationRequestRepository(http));
converter.setRequestMatcher(createLoginProcessingUrlMatcher(this.loginProcessingUrl)); converter.setRequestMatcher(this.loginProcessingUrl);
return converter; return converter;
} }
return authenticationConverterBean; return authenticationConverterBean;
@ -367,7 +369,7 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
if (csrf == null) { if (csrf == null) {
return; return;
} }
csrf.ignoringRequestMatchers(new AntPathRequestMatcher(this.loginProcessingUrl)); csrf.ignoringRequestMatchers(this.loginProcessingUrl);
} }
private void initDefaultLoginFilter(B http) { private void initDefaultLoginFilter(B http) {

22
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/Saml2WebSsoAuthenticationFilter.java
Unescape View File

@ -35,6 +35,9 @@ import org.springframework.security.saml2.provider.service.web.Saml2Authenticati
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy; import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert; import org.springframework.util.Assert;
/** /**
@ -44,6 +47,10 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce
public static final String DEFAULT_FILTER_PROCESSES_URI = "/login/saml2/sso/{registrationId}"; public static final String DEFAULT_FILTER_PROCESSES_URI = "/login/saml2/sso/{registrationId}";
private static final RequestMatcher DEFAULT_REQUEST_MATCHER = new OrRequestMatcher(
new AntPathRequestMatcher(DEFAULT_FILTER_PROCESSES_URI),
new AntPathRequestMatcher("/login/saml2/sso"));
private final AuthenticationConverter authenticationConverter; private final AuthenticationConverter authenticationConverter;
private Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> authenticationRequestRepository = new HttpSessionSaml2AuthenticationRequestRepository(); private Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> authenticationRequestRepository = new HttpSessionSaml2AuthenticationRequestRepository();
@ -75,6 +82,21 @@ public class Saml2WebSsoAuthenticationFilter extends AbstractAuthenticationProce
"filterProcessesUrl must contain a {registrationId} match variable"); "filterProcessesUrl must contain a {registrationId} match variable");
} }
/**
* Creates a {@link Saml2WebSsoAuthenticationFilter} that is configured to use the
* {@link #DEFAULT_FILTER_PROCESSES_URI} processing URL
* @param authenticationConverter the strategy for converting an
* {@link HttpServletRequest} into an {@link Authentication}
* @since 6.2
*/
public Saml2WebSsoAuthenticationFilter(AuthenticationConverter authenticationConverter) {
super(DEFAULT_REQUEST_MATCHER);
Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
this.authenticationConverter = authenticationConverter;
setAllowSessionCreation(true);
setSessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy());
}
/** /**
* Creates a {@link Saml2WebSsoAuthenticationFilter} given the provided parameters * Creates a {@link Saml2WebSsoAuthenticationFilter} given the provided parameters
* @param authenticationConverter the strategy for converting an * @param authenticationConverter the strategy for converting an

Write Preview
Loading…
Cancel
Save