Skip to content

Remove GET request support from Saml2AuthenticationTokenConverter #17108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Remove GET request support from Saml2AuthenticationTokenConverter #17108

wants to merge 2 commits into from

Conversation

ngocnhan-tran1996
Copy link
Contributor

@ngocnhan-tran1996 ngocnhan-tran1996 commented May 14, 2025
edited
Loading

I think we can define Boolean shouldInflate and method decode will be added

if (this.shouldInflate == null) {
	this.shouldInflate = HttpMethod.GET.matches(request.getMethod());
}

If not, this will break Saml2LoginBeanDefinitionParserTests and Saml2AuthenticationTokenConverterTests

Saml2LoginBeanDefinitionParserTests > authenticateWhenCustomAuthnRequestRepositoryThenUses() FAILED
    org.mockito.exceptions.verification.WantedButNotInvoked at Saml2LoginBeanDefinitionParserTests.java:323

Saml2LoginBeanDefinitionParserTests > authenticateWhenAuthenticationResponseValidThenAuthenticate() FAILED
    java.lang.AssertionError at Saml2LoginBeanDefinitionParserTests.java:213

Saml2LoginBeanDefinitionParserTests > authenticateWhenAuthenticationResponseValidThenAuthenticationSuccessEventPublished() FAILED
    java.lang.AssertionError at Saml2LoginBeanDefinitionParserTests.java:245

Saml2LoginBeanDefinitionParserTests > authenticateWhenCustomSecurityContextHolderStrategyThenUses() FAILED
    java.lang.AssertionError at Saml2LoginBeanDefinitionParserTests.java:228

Saml2LoginBeanDefinitionParserTests > authenticateWhenCustomAuthenticationManagerThenUses() FAILED
    java.lang.AssertionError at Saml2LoginBeanDefinitionParserTests.java:280

Issue: gh-17099

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 14, 2025
@ngocnhan-tran1996 ngocnhan-tran1996 force-pushed the gh-17099 branch 2 times, most recently from eaa03b3 to e6186a1 Compare May 14, 2025 15:57
jzheaux
jzheaux requested changes May 15, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @ngocnhan-tran1996! I've left some feedback inline.

...g/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java Outdated
@@ -43,6 +43,8 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo

private Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> authenticationRequestRepository;

private Boolean shouldInflate;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use boolean and give it an initial value of true. We typically reserve null in Boolean for "no opinion".

...g/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java Outdated
@@ -86,16 +88,26 @@ public void setAuthenticationRequestRepository(
this.authenticationRequestRepository = authenticationRequestRepository;
}

/**
* Use the given {@code shouldInflate} to inflate request.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please indicate the default value in this JavaDoc

...g/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java Outdated
private String decode(HttpServletRequest request) {
// prevent to break passivity in Saml2LoginBeanDefinitionParserTests
if (this.shouldInflate == null) {
this.shouldInflate = HttpMethod.GET.matches(request.getMethod());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not thread-safe since multiple requests will use the same instance of this class. Please approach this in a way that does not involve updating a member variable.

...ingframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverterTests.java Outdated
@@ -61,6 +61,7 @@ public class Saml2AuthenticationTokenConverterTests {
public void convertWhenSamlResponseThenToken() {
Saml2AuthenticationTokenConverter converter = new Saml2AuthenticationTokenConverter(
this.relyingPartyRegistrationResolver);
converter.setShouldInflateResponse(false);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't alter any unit tests. In this way, we can have high confidence that the change is a passive one.

That said, I believe adding a test would be a good idea. I think we should test when shouldInflate is false and the request is a GET.

Copy link
Contributor Author

@ngocnhan-tran1996 ngocnhan-tran1996 May 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't alter any unit tests.

This is unclear to me. I've made changes on my local machine, and some tests will fail. We should either set the value to false to keep it passive, or update the expected results in the tests. Which option should we choose?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In order for the change to be passive, all existing unit tests should pass. If they fail, it's because the default behavior has changed. If you default shouldInflateResponse to true, I believe you'll be able to leave those tests as-is. If you run into trouble with that, ping me and I can help.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jzheaux

I've committed separately. Commit 6e793e8 will break passive behavior if we set shouldInflateResponse to true by default. Could you please review it and let me know if I made any mistakes?

@jzheaux jzheaux self-assigned this May 20, 2025
@jzheaux jzheaux added type: enhancement A general enhancement in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels May 23, 2025
@jzheaux jzheaux added this to the 7.0.x milestone May 23, 2025
@jzheaux jzheaux added the status: waiting-for-feedback We need additional information before we can continue label May 23, 2025
@ngocnhan-tran1996 ngocnhan-tran1996 force-pushed the gh-17099 branch 2 times, most recently from 61fee10 to 7b90e07 Compare May 25, 2025 05:44
@ngocnhan-tran1996
Add shouldInflate property
4d7e97b 
Signed-off-by: Tran Ngoc Nhan <[email protected]>
@ngocnhan-tran1996
Fix passive tests
6e793e8 
Signed-off-by: Tran Ngoc Nhan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux requested changes

Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules status: waiting-for-feedback We need additional information before we can continue type: enhancement A general enhancement
Projects
None yet
Milestone
7.0.x
Development

Successfully merging this pull request may close these issues.
3 participants
@ngocnhan-tran1996 @jzheaux @spring-projects-issues