Update to OpenSAML 5 #11658
Comments
|
@phtyson can you help me understand how OpenSAML 4 is not working with Java 17 (based on this comment)? Our samples are running with Java 17 and Spring Security 6 and it seems to be working fine. Perhaps a minimal, reproducible sample would be great to check that. |
|
opensaml4 uses javax, while spring security6 uses Jakarta EE |
|
I think opensaml5 should work better with springsecurity6 |
|
@leshalv I did not find the OpenSAML5 general availability release, can you help me to find it and understand how it would work better with Spring Security 6? |
opensaml5 It is still under development, snapshot, Since the opensaml5 is based on Jakarta EE, it is more suitable for spring security6. |
|
Pac4j has already started to support opensaml5, which I think is helpful for upgrading reference. pac4j-saml-opensamlv5 |
marcusdacoregio
changed the title
|
Opensaml 5.0 has finally been released, see
I'am currently not able to find any changelog at all, would be nice if someone could add those to the list of assets to work through for an possible adoption here. |
|
I don't see OpenSAML 5.0.0 in maven repository yet. I hope this gets available soon, as using spring boot 3 in combination with Java 17 and OpenSAML is an issue now. |
|
@GDeen can you elaborate more on what’s the issue? Maybe with a sample? |
|
@GDeen you will never see any opensaml release in the maven repo, since those are not release to mvn at all. Since Shibooleth took over the development and maintenance, it is published only on their nexus. https://build.jc.net/maven/releases/org/opensaml/opensaml-parent/ Should you still use the versions from mvn - be aware, those are not only massively outdated but have severe security issues. Use @marcusdacoregio i do not think there needs to be an issue. We should follow up on the openSAML releases just to ensure people can use the maintained versions. Surely 4.x will receive updates for some time, maybe a year or more. But the road to 5 should be paved and established before 4 gets EOLed - right? |
|
Our issue is that spring boot 3 uses Jakarta EE over javax.servlet, see https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#jakarta-ee OpenSAML 4.0 requires javax.servlet, see for example: AbstractHttpServletRequestMessageDecoder which requires you to pass a javax.servlet.http.HttpServletRequest |
|
Hi @marcusdacoregio Considering the following scenario, there is an application needs both Spring Security SAML service provider 6.x and SAML IdP, SAML IdP implementations like Shibboleth IdP 5 or CAS SAML IdP 7 (Java 17 and Spring 6 baseline) need OpenSAML 5, but Spring Security SAML is not compatiable with OpenSAML 5, so it don't work. We truely encountered this problem now. |
|
Spring Security has a lot of tests and samples that assert that it works with OpenSAML 4. You may be using other components of OpenSAML that tie you to the |
|
We are indeed using other components of OpenSAML that tie us to the javax.servlet package. I do believe that this is a nuisance for many using OpenSAML though, because if in your application you wish to decode a SAML message using OpenSAML, then you may want to use org.opensaml.messaging.decoder.servlet.AbstractHttpServletRequestMessageDecoder or org.opensaml.messaging.decoder.servlet.BaseHttpServletRequestXMLMessageDecoder However, these expect javax.servlet.http.HttpServletRequest. As of Spring boot 3, we need to use Jakarta EE over javax.servlet, see https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#jakarta-ee We will, like others suggested, use OpenSAML 5.0 to tackle the issue (and hope/verify that it still works with Spring Security), but it would of course be nicer if OpenSAML 5.0 was supported by Spring Security. |
|
Are there any updates planned at the moment? @marcusdacoregio |
|
OpenSAML doesn't generally have release notes. The "changelog" for 5.0.0 is here but has no indication of what might be breaking. I think you just have to email [email protected] and ask. I already checked its (and announce@'s) archives. |
|
Hi, @leshalv. There is no updates yet. I am not sure if we will update to a major version during a minor Spring Security version, we must see what it takes to do the update and if it will be transparent for users. |
|
I had a look at compiling with 5.1.2: The dependency Most of Apache The Spring configuration/factory beans (which I don't think Spring Security is actually using?) are moved to |
This will be useful for exposing OpenSAML functionality at a higher level. Each OpenSAML major version release should provide a new implementation. Issue gh-11658
|
hi @jzheaux does this mean we are support both SAML4 and SAML 5 at the same time depending on the artifacts on the classpath? |
|
thank you @OrangeDog |
|
@jzheaux It seems that OpenSAML 4 will be out of support soon: |
|
not sure how to understand this message. I hope there is more clear statement that OpenSAML 4 is EOL which is in few days |
|
@deanmaster It is also mentioned on this page: |
|
thank you, the biggest problem here is Spring Security 6.4.x does not have the release date yet so even we have OpenSAML v5, we can't use it. |
|
hi @jzheaux , Is there any chance that we can backport this feature in 6.3.x branch patch ? The main (big) problem for us is about EOL in 1st September and we only have 15% of 6.4.x finished that means integrate with OpenSAMLv5 seems to become unknown timeline. In case security alert happen with OpenSAML we have no chance to react with v4. |
This was so predictable a year ago ;/ |
|
Edit: ! DO NOT USE THIS !. It also pulls in management of Spring components, back to 6.1.11.
<dependencyManagement>
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-bom</artifactId>
<version>${opensaml.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencyManagement> |
|
@deanmaster with spring boot 3.4 spring security 6.4.1 has been released - this should prepare the compatibility for opensaml 5.x i assume |
|
thanks @EugenMayer I think so too |
|
I tried the integration with sb 3.4.0 and the upgrade is fairly straight forward and for us, everything is working |
|
absolutely great @EugenMayer I tried with beta before it's fine. I will do with 6.4.1 soon. |
By removing OpenSAML3 support in Spring Security 6 we need to make sure that the OpenSAML dependency versions are updated and are compatible with JDK 17.
See:
The text was updated successfully, but these errors were encountered: