SAML2 provider 5.6.0 + Open 4.0.0 in maven got NoSuchMethodError

[fr2lancer]

Describe the bug

Some of methods seem to not match the method signature in two libs in maven.

To Reproduce

Set versions in your pom.xml or other way to

• spring-security-saml2-service-provider -> 5.6.0
• opensaml4 -> all to 4.0.1 (latest version in maven)

Then got the error down below.

If I change opensaml4 to 4.1.1 by compiling locally, it pass.

Expected behavior

The newer version of Opensaml4 hasn't been released in maven yet. So spring-security-saml2-service-provider in maven would need to keep the dependency of opensaml 4 in maven until newer release.

Sample

java.lang.NoSuchMethodError: 'void org.opensaml.saml.saml2.assertion.SAML20AssertionValidator.<init>(java.util.Collection, java.util.Collection, java.util.Collection, org.opensaml.saml.saml2.assertion.AssertionValidator, org.opensaml.xmlsec.signature.support.SignatureTrustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator)'

	at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider$SAML20AssertionValidators$3.<init>(OpenSaml4AuthenticationProvider.java:732)

[marcusdacoregio]

Hi @fr2lancer, thanks for reaching out.

The opensaml artifacts are published in https://build.shibboleth.net/nexus/content/repositories/releases/. You can check one of our samples using it.

So, to use the latest release you should add the repository to your pom.xml.

[kapil00]

When will the new versions be released to central maven ?

[marcusdacoregio]

Hi @kapil00, I think this question is better suited for the OpenSAML team.

[jzheaux]

The OpenSAML team has commented on using Maven Central in the past.

[fisco-unimatic]

The pom for spring-security-saml2-service-provider 5.7.3 says that it depends on opensaml-saml-api 3.4.6, but 3.4.6 has the 5-arg constructor and 5.7.3 tries to invoke a 6-arg constructor. I don't understand how it could have compiled.

[marcusdacoregio]

That's because we currently support both OpenSAML3 and OpenSAML4. Starting from Spring Security 6, OpenSAML3 won't be supported. See #10556

[akhil-lm]

Hi @marcusdacoregio
I tried connecting to the shibboleth repository, but somehow, my local setup is not able to connect with it.
My build.gradle configurations :-

repositories {
		maven {
			credentials {
				username MAVEN_REPO_USERNAME
				password MAVEN_REPO_PASSWORD
			}
			url REPOSITORRY_URL
		}

		maven {
			url 'https://plugins.gradle.org/m2/'
		}
		maven {
			url "https://build.shibboleth.net/nexus/content/repositories/releases/"
		}
	}

The error I keep on getting is :-

Could not find org.opensaml:opensaml-saml-impl:4.2.0.
Searched in the following locations:

The 'following locations' doesn't have the shibboleth nexus url listed.

Could you please help with why my application doesn't search for the Opensaml 4 artifact in the Shibboleth repository, and is not able to even connect with the repository?

[marcusdacoregio]

Hi @akhil-lm.

Can you share your whole build.gradle and related files? Did you sync the Gradle settings after changing them?

[akhil-lm]

Hi @marcusdacoregio,
Thanks for your reply. In my build.gradle, I had two repositories{} body, one under buildscript{} and one outside it. Both the repositories{} looked identical.

I was placing my shibboleth repository inside the repositories{} in the buildscript{}. Once I moved the shibboleth repository declaration to the other 'repositories{}' outside the buildscript{} body, I was able to connect with it.