profile
viewpoint
Jakub Kubryński jkubrynski @Devskiller https://devskiller.com/techblog Devskiller.com co-founder

jkubrynski/jpa-tuning 6

JPA tuning sandbox project

jkubrynski/LK8000 1

LK8000 Tactical Flight Computer main repo

jkubrynski/ansible-modules-core 0

Ansible modules - these modules ship with ansible

jkubrynski/arquillian-core 0

Arquillian provides a component model for integration tests, which includes dependency injection and container life cycle management. Now, instead of having to manage a runtime in your test, Arquillian brings your test to the runtime. Arquillian Core, Container Extension + Protocols + Enrichers

jkubrynski/asciidoctor-extensions-lab 0

A lab and incubator for Asciidoctor extensions.

push eventjkubrynski/_contracts_san

Jakub Kubrynski

commit sha 1bb6ddfaad7f4e3e0a70af2862c8c5d8ca943e77

Add changes

view details

push time in 2 hours

push eventjkubrynski/_contracts_san

Jakub Kubrynski

commit sha cb55c3f80032c51f0215a14e466e47c5e922922c

Client tests

view details

push time in 5 hours

push eventjkubrynski/_contracts_san

Jakub Kubrynski

commit sha 38ce50708e2bd6cb547fae927cca06db707a068b

Add Projects

view details

push time in 5 hours

push eventjkubrynski/_contracts_san

Jakub Kubrynski

commit sha bef5e0cb01486aa9b30d95f21f7d687733aa2825

Add contract and controller

view details

push time in 6 hours

push eventjkubrynski/_contracts_san

Jakub Kubrynski

commit sha f6d830e59165bce9cda36f165d6ec970fe5fe44a

Refactor ExternalUser

view details

push time in 7 hours

push eventjkubrynski/_contracts_san

Jakub Kubrynski

commit sha a7daee476bc100b4c02bf2b6453fa53bbc585e72

Add wiremock tests

view details

push time in 7 hours

create barnchjkubrynski/_contracts_san

branch : master

created branch time in 8 hours

created repositoryjkubrynski/_contracts_san

created time in 8 hours

issue commentspring-cloud/spring-cloud-contract

inProgress() should skip generating just single contract in a package

In my opinion inProgress() shouldn't skip the contract, but just generate ignored test. That is a stage where the contract is not yet finished, however, developer can expect a support from the framework, like being able to use generated test to verify the implementation when coding.

jm-ck

comment created time in 17 days

create barnchjkubrynski/microservices_deps

branch : master

created branch time in 18 days

created repositoryjkubrynski/microservices_deps

created time in 18 days

issue commentspring-cloud/spring-cloud-contract

Incorrect pattern used when project version != contracts version

Potential walkaround to this issue is to set <contractsPath>contracts</contractsPath>

jkubrynski

comment created time in 19 days

issue openedspring-cloud/spring-cloud-contract

Incorrect pattern used when project version != contracts version

When using git contract storage there is inconsistent behaviour for different versions of the producer and contracts.

  1. producer version == contracts version
[INFO] Pattern to pick contracts equals [^/var/folders/4w/bz0nmbb50c5_099vnjx2mv8m0000gn/T/git-contracts-1599411817978-0/META-INF/com.group/sample/0.0.1/contracts.*$]
[INFO] Ant Pattern to pick files equals [**/]
  1. producer version != contracts version
[INFO] Pattern to pick contracts equals [^/var/folders/4w/bz0nmbb50c5_099vnjx2mv8m0000gn/T/git-contracts-1599412143392-0/META-INF/com.group/sample/0.0.1(/)?.*com/kubrynski/workshop/warehouse/.*$]
[INFO] Ant Pattern to pick files equals [**/com/group/sample/**/]

This can be probably related to the hasVersionInPath implementation from the https://github.com/spring-cloud/spring-cloud-contract/blob/master/spring-cloud-contract-stub-runner/src/main/java/org/springframework/cloud/contract/stubrunner/ContractDownloader.java#L167

created time in 19 days

pull request commentspring-projects/spring-security

Fix #8484 Provide mechanism for parsing IdP metadata

Sorry @jzheaux but I don't have more time left to support those PRs. You can work on this one on your side or simply close it.

jkubrynski

comment created time in 2 months

pull request commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

Hi, sorry but I don't have more time for this PR. Feel free to polish it on your side or simply close it.

jkubrynski

comment created time in 2 months

push eventjkubrynski/spring-security

Eleftheria Stein

commit sha aeabf06f12cdc1b5d85550a0b68cb155ebffe215

Restrict mockito to 3.3.+ Closes gh-8828

view details

Eleftheria Stein

commit sha 08670aa074893eb70077ea1f852ac1055422b043

Add Kotlin WebFlux header configuration to docs Issue gh-8172

view details

Eleftheria Stein

commit sha 9f0e8ebca50860a0c585db35b18d22a0879f47e1

Set RSocket version to Snapshot in snapshot build

view details

Jakub Kubrynski

commit sha aec89c3b8ab6df1c6659aa924ee4c3b93f977ba4

Checkstyle fixes

view details

Jakub Kubrynski

commit sha 6fefb2d1821470125de5e4e07fa7280ae3be01ce

Fixes after code review #3

view details

push time in 2 months

Pull request review commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

  	private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository; +	private Saml2MetadataResolver saml2MetadataResolver;+ 	private AuthenticationManager authenticationManager;  	private Saml2WebSsoAuthenticationFilter saml2WebSsoAuthenticationFilter; +	private Saml2MetadataFilter saml2MetadataFilter;

Entity ID patterns used as defaults across spring-security-saml map to the URL, which for me suggest this URL should be available without any external configuration. Why do you think it's odd?

jkubrynski

comment created time in 2 months

Pull request review commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

+/*+ * Copyright 2002-2020 the original author or authors.+ *+ * Licensed under the Apache License, Version 2.0 (the "License");+ * you may not use this file except in compliance with the License.+ * You may obtain a copy of the License at+ *+ *      https://www.apache.org/licenses/LICENSE-2.0+ *+ * Unless required by applicable law or agreed to in writing, software+ * distributed under the License is distributed on an "AS IS" BASIS,+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+ * See the License for the specific language governing permissions and+ * limitations under the License.+ */++package org.springframework.security.saml2.provider.service.web;++import net.shibboleth.utilities.java.support.xml.SerializeSupport;+import org.opensaml.core.xml.XMLObjectBuilder;+import org.opensaml.core.xml.XMLObjectBuilderFactory;+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;+import org.opensaml.core.xml.io.Marshaller;+import org.opensaml.saml.common.xml.SAMLConstants;+import org.opensaml.saml.saml2.core.NameIDType;+import org.opensaml.saml.saml2.metadata.AssertionConsumerService;+import org.opensaml.saml.saml2.metadata.EntityDescriptor;+import org.opensaml.saml.saml2.metadata.KeyDescriptor;+import org.opensaml.saml.saml2.metadata.NameIDFormat;+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;+import org.opensaml.security.credential.UsageType;+import org.opensaml.xmlsec.signature.KeyInfo;+import org.opensaml.xmlsec.signature.X509Certificate;+import org.opensaml.xmlsec.signature.X509Data;+import org.springframework.security.saml2.Saml2Exception;+import org.springframework.security.saml2.credentials.Saml2X509Credential;+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;+import org.w3c.dom.Element;++import javax.servlet.http.HttpServletRequest;+import javax.xml.namespace.QName;+import java.security.cert.CertificateEncodingException;+import java.util.ArrayList;+import java.util.Base64;+import java.util.List;++/**+ * @author Jakub Kubrynski+ * @since 5.4+ */+public class OpenSamlMetadataResolver implements Saml2MetadataResolver {++	@Override+	public String resolveMetadata(HttpServletRequest request, RelyingPartyRegistration registration) {++		XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();++		EntityDescriptor entityDescriptor = buildObject(builderFactory, EntityDescriptor.ELEMENT_QNAME);++		entityDescriptor.setEntityID(+				resolveTemplate(registration.getEntityId(), registration, request));++		SPSSODescriptor spSsoDescriptor = buildSpSsoDescriptor(registration, builderFactory, request);+		entityDescriptor.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).add(spSsoDescriptor);++		return serializeToXmlString(entityDescriptor);+	}++	private String serializeToXmlString(EntityDescriptor entityDescriptor) {+		try {+			Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(entityDescriptor);+			if (marshaller == null) {+				throw new Saml2Exception("Unable to resolve Marshaller");+			}+			Element element = marshaller.marshall(entityDescriptor);+			return SerializeSupport.prettyPrintXML(element);+		} catch (Exception e) {+			throw new Saml2Exception(e);+		}+	}++	private SPSSODescriptor buildSpSsoDescriptor(RelyingPartyRegistration registration,+			XMLObjectBuilderFactory builderFactory, HttpServletRequest request) {++		SPSSODescriptor spSsoDescriptor = buildObject(builderFactory, SPSSODescriptor.DEFAULT_ELEMENT_NAME);+		spSsoDescriptor.setAuthnRequestsSigned(registration.getAssertingPartyDetails().getWantAuthnRequestsSigned());+		spSsoDescriptor.setWantAssertionsSigned(true);+		spSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);++		NameIDFormat nameIdFormat = buildObject(builderFactory, NameIDFormat.DEFAULT_ELEMENT_NAME);+		nameIdFormat.setFormat(registration.getAssertingPartyDetails().getNameIdFormat());+		spSsoDescriptor.getNameIDFormats().add(nameIdFormat);++		spSsoDescriptor.getAssertionConsumerServices().add(+				buildAssertionConsumerService(registration, builderFactory, request));++		spSsoDescriptor.getKeyDescriptors().addAll(buildKeys(builderFactory,+				registration.getSigningCredentials(), UsageType.SIGNING));+		spSsoDescriptor.getKeyDescriptors().addAll(buildKeys(builderFactory,+				registration.getEncryptionCredentials(), UsageType.ENCRYPTION));++		return spSsoDescriptor;+	}++	private List<KeyDescriptor> buildKeys(XMLObjectBuilderFactory builderFactory,+			List<Saml2X509Credential> credentials, UsageType usageType) {+		List<KeyDescriptor> list = new ArrayList<>();+		for (Saml2X509Credential credential : credentials) {+			KeyDescriptor keyDescriptor = buildKeyDescriptor(builderFactory, usageType, credential.getCertificate());+			list.add(keyDescriptor);+		}+		return list;+	}++	private KeyDescriptor buildKeyDescriptor(XMLObjectBuilderFactory builderFactory, UsageType usageType,+			java.security.cert.X509Certificate certificate) {+		KeyDescriptor keyDescriptor = buildObject(builderFactory, KeyDescriptor.DEFAULT_ELEMENT_NAME);+		KeyInfo keyInfo = buildObject(builderFactory, KeyInfo.DEFAULT_ELEMENT_NAME);+		X509Certificate x509Certificate = buildObject(builderFactory, X509Certificate.DEFAULT_ELEMENT_NAME);+		X509Data x509Data = buildObject(builderFactory, X509Data.DEFAULT_ELEMENT_NAME);++		try {+			x509Certificate.setValue(new String(Base64.getEncoder().encode(certificate.getEncoded())));+		} catch (CertificateEncodingException e) {+			throw new Saml2Exception("Cannot encode certificate " + certificate.toString());+		}++		x509Data.getX509Certificates().add(x509Certificate);+		keyInfo.getX509Datas().add(x509Data);++		keyDescriptor.setUse(usageType);+		keyDescriptor.setKeyInfo(keyInfo);+		return keyDescriptor;+	}++	private AssertionConsumerService buildAssertionConsumerService(RelyingPartyRegistration registration,+			XMLObjectBuilderFactory builderFactory, HttpServletRequest request) {+		AssertionConsumerService assertionConsumerService = buildObject(builderFactory, AssertionConsumerService.DEFAULT_ELEMENT_NAME);++		assertionConsumerService.setLocation(+				resolveTemplate(registration.getAssertionConsumerServiceLocation(), registration, request));+		assertionConsumerService.setBinding(registration.getAssertingPartyDetails().getSingleSignOnServiceBinding().getUrn());

You cannot simply hardcode POST here, as REDIRECT is pretty common in Saml. I don't get the problem with such usage as above

jkubrynski

comment created time in 2 months

Pull request review commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

  * limitations under the License.  */ -package org.springframework.security.saml2.provider.service.servlet.filter;+package org.springframework.security.saml2.provider.service.web;

I cannot move new filters without moving the rest or changing the visibility of *Utils classes to public. Are you OK with the second one?

jkubrynski

comment created time in 2 months

Pull request review commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

 public static Builder withRelyingPartyRegistration(RelyingPartyRegistration regi 		private final String entityId; 		private final boolean wantAuthnRequestsSigned; 		private final String singleSignOnServiceLocation;+		private final String nameIdFormat;

NameID is a part of the IDPSSODescriptor

jkubrynski

comment created time in 2 months

push eventjkubrynski/spring-security

Joe Grandja

commit sha edf06a34619a16d001f860e837b7811c2e0c3bb5

OAuth2AuthorizedClientArgumentResolver uses OAuth2AuthorizedClientManager @Bean Closes gh-8700

view details

Benjamin Bargeton

commit sha 497ef5e74ec435e6a03a238ced134e6bc735a947

OAuth2AccessTokenResponse.Builder.expiresIn works after withResponse Closes gh-8702

view details

Eleftheria Stein

commit sha eb7b27695d3f9fce869eb3fb1c0ec56c32a9cb2b

Compare Timestamps up to the millisecond Issue gh-8782

view details

Peer Schönhusen

commit sha 3e25714dc6adf8054734fdf587c93745f669369f

Add reified function variants to security DSL Closes gh-8697

view details

Joe Grandja

commit sha 0b5a14a900f3360bf51296f24a7c89945ca84132

Register OAuth2AuthorizedClientArgumentResolver as custom resolver for XML config Issue gh-8669

view details

Josh Cummings

commit sha 5178cc7d65b872ab96550f1408d1b0c1023bb586

Update to Google App Enging 1.7.80 Closes gh-8785

view details

Josh Cummings

commit sha 609e6de1017ccf3fee276708a2e85f9b6e614cf1

Update to Kotlin 1.3.72 Closes gh-8786

view details

Josh Cummings

commit sha c04ebe3d560ca74cb67b1d8b8f8c728006cb3439

Update to Spring Boot 2.4.0-M1 Closes gh-8787

view details

Josh Cummings

commit sha 68538897c83a7ce8db0ec7275dbd10b1a548498f

Lock Dependency Versions for 5.4.0-M2

view details

Josh Cummings

commit sha cb9d524e1678ac1a97c82dcc5e12e03e51d36d9a

Release 5.4.0-M2

view details

Josh Cummings

commit sha 146d0b635826784814f2167f99cd45fe3ce1d529

Revert "Lock Dependency Versions for 5.4.0-M2" This reverts commit 68538897c83a7ce8db0ec7275dbd10b1a548498f.

view details

Josh Cummings

commit sha d3dc8b055be6fa74dea2e16c4f80d6223cc86ab7

Next Development Version

view details

Zeeshan Adnan

commit sha 9708a2d63fb9a1898bae7971953f21ae8aff9340

Adds cookie based RequestCache fixes spring-projectsgh-8034

view details

Eleftheria Stein

commit sha 4fb5ff35dbceae175ba2747742d39fb044130ffe

Polish CookieRequestCache Issue gh-8034

view details

Eleftheria Stein

commit sha 0bdf6859bea4266e835e8af363336dbdcda5a725

Add Kotlin logout samples to docs Issue gh-8172

view details

Eleftheria Stein

commit sha f479f0ea49b7d35626c970ea8b6a7a5e05c4107d

Add Kotlin expression-based authorization Issue gh-8172

view details

Rob Winch

commit sha 09fe6071e189663f00c7498c8214972d2e09b539

LoginPageGeneratingWebFilter honors context path Closes gh-8807

view details

Rob Winch

commit sha 9c33a862d4da2f4f6c96259507f70fe24d5d3f2c

tutorial hasRole->hasAuthority Closes gh-8796

view details

wangsong

commit sha 4269cb0d26b97b53519d3b3779fb8b7432bce68b

update comments

view details

Josh Cummings

commit sha 8e8a642e5a8a25138361fc5d0127c27b453da35d

Use Spec Language in RelyingPartyRegistration Changed conventions to better follow the metadata descriptors that the registration is meant to represent. Closes gh-8777

view details

push time in 2 months

Pull request review commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

+/*+ * Copyright 2002-2020 the original author or authors.+ *+ * Licensed under the Apache License, Version 2.0 (the "License");+ * you may not use this file except in compliance with the License.+ * You may obtain a copy of the License at+ *+ *      https://www.apache.org/licenses/LICENSE-2.0+ *+ * Unless required by applicable law or agreed to in writing, software+ * distributed under the License is distributed on an "AS IS" BASIS,+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+ * See the License for the specific language governing permissions and+ * limitations under the License.+ */++package org.springframework.security.saml2.provider.service.servlet.filter;++import net.shibboleth.utilities.java.support.xml.SerializeSupport;+import org.opensaml.core.config.ConfigurationService;+import org.opensaml.core.xml.XMLObjectBuilder;+import org.opensaml.core.xml.XMLObjectBuilderFactory;+import org.opensaml.core.xml.config.XMLObjectProviderRegistry;+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;+import org.opensaml.core.xml.io.Marshaller;+import org.opensaml.core.xml.io.MarshallingException;+import org.opensaml.saml.common.xml.SAMLConstants;+import org.opensaml.saml.saml2.core.NameIDType;+import org.opensaml.saml.saml2.metadata.AssertionConsumerService;+import org.opensaml.saml.saml2.metadata.EntityDescriptor;+import org.opensaml.saml.saml2.metadata.KeyDescriptor;+import org.opensaml.saml.saml2.metadata.NameIDFormat;+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;+import org.opensaml.security.credential.UsageType;+import org.opensaml.xmlsec.signature.KeyInfo;+import org.opensaml.xmlsec.signature.X509Certificate;+import org.opensaml.xmlsec.signature.X509Data;+import org.springframework.security.saml2.Saml2Exception;+import org.springframework.security.saml2.credentials.Saml2X509Credential;+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;+import org.w3c.dom.Element;++import javax.servlet.http.HttpServletRequest;+import javax.xml.namespace.QName;+import java.security.cert.CertificateEncodingException;+import java.util.Base64;+import java.util.List;+import java.util.stream.Collectors;++/**+ * @author Jakub Kubrynski+ * @since 5.4+ */+class SamlMetadataGenerator {++	String generateMetadata(RelyingPartyRegistration registration, HttpServletRequest request) {++		XMLObjectBuilderFactory builderFactory = ConfigurationService.get(XMLObjectProviderRegistry.class).getBuilderFactory();++		EntityDescriptor entityDescriptor = buildObject(builderFactory, EntityDescriptor.ELEMENT_QNAME);++		entityDescriptor.setEntityID(+				resolveTemplate(registration.getLocalEntityIdTemplate(), registration, request));++		SPSSODescriptor spSsoDescriptor = buildSpSsoDescriptor(registration, builderFactory, request);+		entityDescriptor.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).add(spSsoDescriptor);++		return serializeToXmlString(entityDescriptor);+	}++	private String serializeToXmlString(EntityDescriptor entityDescriptor) {+		try {+			Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(entityDescriptor);+			if (marshaller == null) {+				throw new Saml2Exception("Unable to resolve Marshaller");+			}+			Element element = marshaller.marshall(entityDescriptor);+			return SerializeSupport.prettyPrintXML(element);+		} catch (MarshallingException e) {

Do you want to wrap any RuntimeException with the Saml2Exception?

jkubrynski

comment created time in 2 months

Pull request review commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

+/*+ * Copyright 2002-2020 the original author or authors.+ *+ * Licensed under the Apache License, Version 2.0 (the "License");+ * you may not use this file except in compliance with the License.+ * You may obtain a copy of the License at+ *+ *      https://www.apache.org/licenses/LICENSE-2.0+ *+ * Unless required by applicable law or agreed to in writing, software+ * distributed under the License is distributed on an "AS IS" BASIS,+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+ * See the License for the specific language governing permissions and+ * limitations under the License.+ */++package org.springframework.security.saml2.provider.service.servlet.filter;++import net.shibboleth.utilities.java.support.xml.SerializeSupport;+import org.opensaml.core.config.ConfigurationService;+import org.opensaml.core.xml.XMLObjectBuilder;+import org.opensaml.core.xml.XMLObjectBuilderFactory;+import org.opensaml.core.xml.config.XMLObjectProviderRegistry;+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;+import org.opensaml.core.xml.io.Marshaller;+import org.opensaml.core.xml.io.MarshallingException;+import org.opensaml.saml.common.xml.SAMLConstants;+import org.opensaml.saml.saml2.core.NameIDType;+import org.opensaml.saml.saml2.metadata.AssertionConsumerService;+import org.opensaml.saml.saml2.metadata.EntityDescriptor;+import org.opensaml.saml.saml2.metadata.KeyDescriptor;+import org.opensaml.saml.saml2.metadata.NameIDFormat;+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;+import org.opensaml.security.credential.UsageType;+import org.opensaml.xmlsec.signature.KeyInfo;+import org.opensaml.xmlsec.signature.X509Certificate;+import org.opensaml.xmlsec.signature.X509Data;+import org.springframework.security.saml2.Saml2Exception;+import org.springframework.security.saml2.credentials.Saml2X509Credential;+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;+import org.w3c.dom.Element;++import javax.servlet.http.HttpServletRequest;+import javax.xml.namespace.QName;+import java.security.cert.CertificateEncodingException;+import java.util.Base64;+import java.util.List;+import java.util.stream.Collectors;++/**+ * @author Jakub Kubrynski+ * @since 5.4+ */+class SamlMetadataGenerator {++	String generateMetadata(RelyingPartyRegistration registration, HttpServletRequest request) {++		XMLObjectBuilderFactory builderFactory = ConfigurationService.get(XMLObjectProviderRegistry.class).getBuilderFactory();++		EntityDescriptor entityDescriptor = buildObject(builderFactory, EntityDescriptor.ELEMENT_QNAME);++		entityDescriptor.setEntityID(+				resolveTemplate(registration.getLocalEntityIdTemplate(), registration, request));++		SPSSODescriptor spSsoDescriptor = buildSpSsoDescriptor(registration, builderFactory, request);+		entityDescriptor.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).add(spSsoDescriptor);++		return serializeToXmlString(entityDescriptor);+	}++	private String serializeToXmlString(EntityDescriptor entityDescriptor) {+		try {+			Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(entityDescriptor);+			if (marshaller == null) {+				throw new Saml2Exception("Unable to resolve Marshaller");+			}+			Element element = marshaller.marshall(entityDescriptor);+			return SerializeSupport.prettyPrintXML(element);+		} catch (MarshallingException e) {+			throw new Saml2Exception(e);+		}+	}++	private SPSSODescriptor buildSpSsoDescriptor(RelyingPartyRegistration registration,+			XMLObjectBuilderFactory builderFactory, HttpServletRequest request) {++		SPSSODescriptor spSsoDescriptor = buildObject(builderFactory, SPSSODescriptor.DEFAULT_ELEMENT_NAME);+		spSsoDescriptor.setAuthnRequestsSigned(registration.getProviderDetails().isSignAuthNRequest());+		spSsoDescriptor.setWantAssertionsSigned(true);+		spSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);++		NameIDFormat nameIdFormat = buildObject(builderFactory, NameIDFormat.DEFAULT_ELEMENT_NAME);+		nameIdFormat.setFormat(NameIDType.EMAIL);+		spSsoDescriptor.getNameIDFormats().add(nameIdFormat);++		spSsoDescriptor.getAssertionConsumerServices().add(+				buildAssertionConsumerService(registration, builderFactory, request));++		spSsoDescriptor.getKeyDescriptors().addAll(buildKeys(builderFactory,+				registration.getSigningCredentials(), UsageType.SIGNING));+		spSsoDescriptor.getKeyDescriptors().addAll(buildKeys(builderFactory,+				registration.getEncryptionCredentials(), UsageType.ENCRYPTION));++		return spSsoDescriptor;+	}++	private List<KeyDescriptor> buildKeys(XMLObjectBuilderFactory builderFactory,+			List<Saml2X509Credential> credentials, UsageType usageType) {+		return credentials

I'm, but I'm also not sure how long it will take you to discuss this standard.

jkubrynski

comment created time in 2 months

Pull request review commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

+/*+ * Copyright 2002-2020 the original author or authors.+ *+ * Licensed under the Apache License, Version 2.0 (the "License");+ * you may not use this file except in compliance with the License.+ * You may obtain a copy of the License at+ *+ *      https://www.apache.org/licenses/LICENSE-2.0+ *+ * Unless required by applicable law or agreed to in writing, software+ * distributed under the License is distributed on an "AS IS" BASIS,+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+ * See the License for the specific language governing permissions and+ * limitations under the License.+ */++package org.springframework.security.saml2.provider.service.servlet.filter;++import net.shibboleth.utilities.java.support.xml.SerializeSupport;+import org.opensaml.core.config.ConfigurationService;+import org.opensaml.core.xml.XMLObjectBuilder;+import org.opensaml.core.xml.XMLObjectBuilderFactory;+import org.opensaml.core.xml.config.XMLObjectProviderRegistry;+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;+import org.opensaml.core.xml.io.Marshaller;+import org.opensaml.core.xml.io.MarshallingException;+import org.opensaml.saml.common.xml.SAMLConstants;+import org.opensaml.saml.saml2.core.NameIDType;+import org.opensaml.saml.saml2.metadata.AssertionConsumerService;+import org.opensaml.saml.saml2.metadata.EntityDescriptor;+import org.opensaml.saml.saml2.metadata.KeyDescriptor;+import org.opensaml.saml.saml2.metadata.NameIDFormat;+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;+import org.opensaml.security.credential.UsageType;+import org.opensaml.xmlsec.signature.KeyInfo;+import org.opensaml.xmlsec.signature.X509Certificate;+import org.opensaml.xmlsec.signature.X509Data;+import org.springframework.security.saml2.Saml2Exception;+import org.springframework.security.saml2.credentials.Saml2X509Credential;+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;+import org.w3c.dom.Element;++import javax.servlet.http.HttpServletRequest;+import javax.xml.namespace.QName;+import java.security.cert.CertificateEncodingException;+import java.util.Base64;+import java.util.List;+import java.util.stream.Collectors;++/**+ * @author Jakub Kubrynski+ * @since 5.4+ */+class SamlMetadataGenerator {++	String generateMetadata(RelyingPartyRegistration registration, HttpServletRequest request) {++		XMLObjectBuilderFactory builderFactory = ConfigurationService.get(XMLObjectProviderRegistry.class).getBuilderFactory();++		EntityDescriptor entityDescriptor = buildObject(builderFactory, EntityDescriptor.ELEMENT_QNAME);++		entityDescriptor.setEntityID(+				resolveTemplate(registration.getLocalEntityIdTemplate(), registration, request));++		SPSSODescriptor spSsoDescriptor = buildSpSsoDescriptor(registration, builderFactory, request);+		entityDescriptor.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).add(spSsoDescriptor);++		return serializeToXmlString(entityDescriptor);+	}++	private String serializeToXmlString(EntityDescriptor entityDescriptor) {+		try {+			Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(entityDescriptor);+			if (marshaller == null) {+				throw new Saml2Exception("Unable to resolve Marshaller");+			}+			Element element = marshaller.marshall(entityDescriptor);+			return SerializeSupport.prettyPrintXML(element);+		} catch (MarshallingException e) {+			throw new Saml2Exception(e);+		}+	}++	private SPSSODescriptor buildSpSsoDescriptor(RelyingPartyRegistration registration,+			XMLObjectBuilderFactory builderFactory, HttpServletRequest request) {++		SPSSODescriptor spSsoDescriptor = buildObject(builderFactory, SPSSODescriptor.DEFAULT_ELEMENT_NAME);+		spSsoDescriptor.setAuthnRequestsSigned(registration.getProviderDetails().isSignAuthNRequest());+		spSsoDescriptor.setWantAssertionsSigned(true);+		spSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);++		NameIDFormat nameIdFormat = buildObject(builderFactory, NameIDFormat.DEFAULT_ELEMENT_NAME);+		nameIdFormat.setFormat(NameIDType.EMAIL);

That sounds like a pretty hard to change to regular users. I'd suggest adding this information to RelyingPartyRegistration. WDYT?

jkubrynski

comment created time in 2 months

push eventjkubrynski/spring-security

Jakub Kubrynski

commit sha 5fd41c6c4f9fe976fde170ed13e9d6fca917f0b4

Fixes after code review

view details

push time in 2 months

Pull request review commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

+/*+ * Copyright 2002-2020 the original author or authors.+ *+ * Licensed under the Apache License, Version 2.0 (the "License");+ * you may not use this file except in compliance with the License.+ * You may obtain a copy of the License at+ *+ *      https://www.apache.org/licenses/LICENSE-2.0+ *+ * Unless required by applicable law or agreed to in writing, software+ * distributed under the License is distributed on an "AS IS" BASIS,+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+ * See the License for the specific language governing permissions and+ * limitations under the License.+ */++package org.springframework.security.saml2.provider.service.servlet.filter;++import net.shibboleth.utilities.java.support.xml.SerializeSupport;+import org.opensaml.core.config.ConfigurationService;+import org.opensaml.core.xml.XMLObjectBuilder;+import org.opensaml.core.xml.XMLObjectBuilderFactory;+import org.opensaml.core.xml.config.XMLObjectProviderRegistry;+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;+import org.opensaml.core.xml.io.Marshaller;+import org.opensaml.core.xml.io.MarshallingException;+import org.opensaml.saml.common.xml.SAMLConstants;+import org.opensaml.saml.saml2.core.NameIDType;+import org.opensaml.saml.saml2.metadata.AssertionConsumerService;+import org.opensaml.saml.saml2.metadata.EntityDescriptor;+import org.opensaml.saml.saml2.metadata.KeyDescriptor;+import org.opensaml.saml.saml2.metadata.NameIDFormat;+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;+import org.opensaml.security.credential.UsageType;+import org.opensaml.xmlsec.signature.KeyInfo;+import org.opensaml.xmlsec.signature.X509Certificate;+import org.opensaml.xmlsec.signature.X509Data;+import org.springframework.security.saml2.Saml2Exception;+import org.springframework.security.saml2.credentials.Saml2X509Credential;+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;+import org.w3c.dom.Element;++import javax.servlet.http.HttpServletRequest;+import javax.xml.namespace.QName;+import java.security.cert.CertificateEncodingException;+import java.util.Base64;+import java.util.List;+import java.util.stream.Collectors;++/**+ * @author Jakub Kubrynski+ * @since 5.4+ */+class SamlMetadataGenerator {++	String generateMetadata(RelyingPartyRegistration registration, HttpServletRequest request) {++		XMLObjectBuilderFactory builderFactory = ConfigurationService.get(XMLObjectProviderRegistry.class).getBuilderFactory();++		EntityDescriptor entityDescriptor = buildObject(builderFactory, EntityDescriptor.ELEMENT_QNAME);++		entityDescriptor.setEntityID(+				resolveTemplate(registration.getLocalEntityIdTemplate(), registration, request));++		SPSSODescriptor spSsoDescriptor = buildSpSsoDescriptor(registration, builderFactory, request);+		entityDescriptor.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).add(spSsoDescriptor);++		return serializeToXmlString(entityDescriptor);+	}++	private String serializeToXmlString(EntityDescriptor entityDescriptor) {+		try {+			Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(entityDescriptor);+			if (marshaller == null) {+				throw new Saml2Exception("Unable to resolve Marshaller");+			}+			Element element = marshaller.marshall(entityDescriptor);+			return SerializeSupport.prettyPrintXML(element);+		} catch (MarshallingException e) {+			throw new Saml2Exception(e);+		}+	}++	private SPSSODescriptor buildSpSsoDescriptor(RelyingPartyRegistration registration,+			XMLObjectBuilderFactory builderFactory, HttpServletRequest request) {++		SPSSODescriptor spSsoDescriptor = buildObject(builderFactory, SPSSODescriptor.DEFAULT_ELEMENT_NAME);+		spSsoDescriptor.setAuthnRequestsSigned(registration.getProviderDetails().isSignAuthNRequest());+		spSsoDescriptor.setWantAssertionsSigned(true);+		spSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);++		NameIDFormat nameIdFormat = buildObject(builderFactory, NameIDFormat.DEFAULT_ELEMENT_NAME);+		nameIdFormat.setFormat(NameIDType.EMAIL);+		spSsoDescriptor.getNameIDFormats().add(nameIdFormat);++		spSsoDescriptor.getAssertionConsumerServices().add(+				buildAssertionConsumerService(registration, builderFactory, request));++		spSsoDescriptor.getKeyDescriptors().addAll(buildKeys(builderFactory,+				registration.getSigningCredentials(), UsageType.SIGNING));+		spSsoDescriptor.getKeyDescriptors().addAll(buildKeys(builderFactory,+				registration.getEncryptionCredentials(), UsageType.ENCRYPTION));++		return spSsoDescriptor;+	}++	private List<KeyDescriptor> buildKeys(XMLObjectBuilderFactory builderFactory,+			List<Saml2X509Credential> credentials, UsageType usageType) {+		return credentials+				.stream()+				.map(credential -> buildKeyDescriptor(builderFactory, usageType, credential.getCertificate()))+				.collect(Collectors.toList());+	}++	private KeyDescriptor buildKeyDescriptor(XMLObjectBuilderFactory builderFactory, UsageType usageType,+			java.security.cert.X509Certificate certificate) {+		KeyDescriptor keyDescriptor = buildObject(builderFactory, KeyDescriptor.DEFAULT_ELEMENT_NAME);+		KeyInfo keyInfo = buildObject(builderFactory, KeyInfo.DEFAULT_ELEMENT_NAME);+		X509Certificate x509Certificate = buildObject(builderFactory, X509Certificate.DEFAULT_ELEMENT_NAME);+		X509Data x509Data = buildObject(builderFactory, X509Data.DEFAULT_ELEMENT_NAME);++		try {+			x509Certificate.setValue(new String(Base64.getEncoder().encode(certificate.getEncoded())));+		} catch (CertificateEncodingException e) {+			throw new Saml2Exception("Cannot encode certificate " + certificate.toString());+		}++		x509Data.getX509Certificates().add(x509Certificate);+		keyInfo.getX509Datas().add(x509Data);++		keyDescriptor.setUse(usageType);+		keyDescriptor.setKeyInfo(keyInfo);+		return keyDescriptor;+	}++	private AssertionConsumerService buildAssertionConsumerService(RelyingPartyRegistration registration,+			XMLObjectBuilderFactory builderFactory, HttpServletRequest request) {+		AssertionConsumerService assertionConsumerService = buildObject(builderFactory, AssertionConsumerService.DEFAULT_ELEMENT_NAME);++		assertionConsumerService.setLocation(+				resolveTemplate(registration.getAssertionConsumerServiceUrlTemplate(), registration, request));

There are no any changes on the master branch. Should I rebase on gh-8777?

jkubrynski

comment created time in 2 months

Pull request review commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

+/*+ * Copyright 2002-2020 the original author or authors.+ *+ * Licensed under the Apache License, Version 2.0 (the "License");+ * you may not use this file except in compliance with the License.+ * You may obtain a copy of the License at+ *+ *      https://www.apache.org/licenses/LICENSE-2.0+ *+ * Unless required by applicable law or agreed to in writing, software+ * distributed under the License is distributed on an "AS IS" BASIS,+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+ * See the License for the specific language governing permissions and+ * limitations under the License.+ */++package org.springframework.security.saml2.provider.service.servlet.filter;++import net.shibboleth.utilities.java.support.xml.SerializeSupport;+import org.opensaml.core.config.ConfigurationService;+import org.opensaml.core.xml.XMLObjectBuilder;+import org.opensaml.core.xml.XMLObjectBuilderFactory;+import org.opensaml.core.xml.config.XMLObjectProviderRegistry;+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;+import org.opensaml.core.xml.io.Marshaller;+import org.opensaml.core.xml.io.MarshallingException;+import org.opensaml.saml.common.xml.SAMLConstants;+import org.opensaml.saml.saml2.core.NameIDType;+import org.opensaml.saml.saml2.metadata.AssertionConsumerService;+import org.opensaml.saml.saml2.metadata.EntityDescriptor;+import org.opensaml.saml.saml2.metadata.KeyDescriptor;+import org.opensaml.saml.saml2.metadata.NameIDFormat;+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;+import org.opensaml.security.credential.UsageType;+import org.opensaml.xmlsec.signature.KeyInfo;+import org.opensaml.xmlsec.signature.X509Certificate;+import org.opensaml.xmlsec.signature.X509Data;+import org.springframework.security.saml2.Saml2Exception;+import org.springframework.security.saml2.credentials.Saml2X509Credential;+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;+import org.w3c.dom.Element;++import javax.servlet.http.HttpServletRequest;+import javax.xml.namespace.QName;+import java.security.cert.CertificateEncodingException;+import java.util.Base64;+import java.util.List;+import java.util.stream.Collectors;++/**+ * @author Jakub Kubrynski+ * @since 5.4+ */+class SamlMetadataGenerator {++	String generateMetadata(RelyingPartyRegistration registration, HttpServletRequest request) {++		XMLObjectBuilderFactory builderFactory = ConfigurationService.get(XMLObjectProviderRegistry.class).getBuilderFactory();++		EntityDescriptor entityDescriptor = buildObject(builderFactory, EntityDescriptor.ELEMENT_QNAME);++		entityDescriptor.setEntityID(+				resolveTemplate(registration.getLocalEntityIdTemplate(), registration, request));++		SPSSODescriptor spSsoDescriptor = buildSpSsoDescriptor(registration, builderFactory, request);+		entityDescriptor.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).add(spSsoDescriptor);++		return serializeToXmlString(entityDescriptor);+	}++	private String serializeToXmlString(EntityDescriptor entityDescriptor) {+		try {+			Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(entityDescriptor);+			if (marshaller == null) {+				throw new Saml2Exception("Unable to resolve Marshaller");+			}+			Element element = marshaller.marshall(entityDescriptor);+			return SerializeSupport.prettyPrintXML(element);+		} catch (MarshallingException e) {+			throw new Saml2Exception(e);+		}+	}++	private SPSSODescriptor buildSpSsoDescriptor(RelyingPartyRegistration registration,+			XMLObjectBuilderFactory builderFactory, HttpServletRequest request) {++		SPSSODescriptor spSsoDescriptor = buildObject(builderFactory, SPSSODescriptor.DEFAULT_ELEMENT_NAME);+		spSsoDescriptor.setAuthnRequestsSigned(registration.getProviderDetails().isSignAuthNRequest());+		spSsoDescriptor.setWantAssertionsSigned(true);+		spSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);++		NameIDFormat nameIdFormat = buildObject(builderFactory, NameIDFormat.DEFAULT_ELEMENT_NAME);+		nameIdFormat.setFormat(NameIDType.EMAIL);

How would like to implement that?

jkubrynski

comment created time in 2 months

Pull request review commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

+/*+ * Copyright 2002-2020 the original author or authors.+ *+ * Licensed under the Apache License, Version 2.0 (the "License");+ * you may not use this file except in compliance with the License.+ * You may obtain a copy of the License at+ *+ *      https://www.apache.org/licenses/LICENSE-2.0+ *+ * Unless required by applicable law or agreed to in writing, software+ * distributed under the License is distributed on an "AS IS" BASIS,+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+ * See the License for the specific language governing permissions and+ * limitations under the License.+ */++package org.springframework.security.saml2.provider.service.servlet.filter;++import net.shibboleth.utilities.java.support.xml.SerializeSupport;+import org.opensaml.core.config.ConfigurationService;+import org.opensaml.core.xml.XMLObjectBuilder;+import org.opensaml.core.xml.XMLObjectBuilderFactory;+import org.opensaml.core.xml.config.XMLObjectProviderRegistry;+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;+import org.opensaml.core.xml.io.Marshaller;+import org.opensaml.core.xml.io.MarshallingException;+import org.opensaml.saml.common.xml.SAMLConstants;+import org.opensaml.saml.saml2.core.NameIDType;+import org.opensaml.saml.saml2.metadata.AssertionConsumerService;+import org.opensaml.saml.saml2.metadata.EntityDescriptor;+import org.opensaml.saml.saml2.metadata.KeyDescriptor;+import org.opensaml.saml.saml2.metadata.NameIDFormat;+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;+import org.opensaml.security.credential.UsageType;+import org.opensaml.xmlsec.signature.KeyInfo;+import org.opensaml.xmlsec.signature.X509Certificate;+import org.opensaml.xmlsec.signature.X509Data;+import org.springframework.security.saml2.Saml2Exception;+import org.springframework.security.saml2.credentials.Saml2X509Credential;+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;+import org.w3c.dom.Element;++import javax.servlet.http.HttpServletRequest;+import javax.xml.namespace.QName;+import java.security.cert.CertificateEncodingException;+import java.util.Base64;+import java.util.List;+import java.util.stream.Collectors;++/**+ * @author Jakub Kubrynski+ * @since 5.4+ */+class SamlMetadataGenerator {++	String generateMetadata(RelyingPartyRegistration registration, HttpServletRequest request) {++		XMLObjectBuilderFactory builderFactory = ConfigurationService.get(XMLObjectProviderRegistry.class).getBuilderFactory();++		EntityDescriptor entityDescriptor = buildObject(builderFactory, EntityDescriptor.ELEMENT_QNAME);++		entityDescriptor.setEntityID(+				resolveTemplate(registration.getLocalEntityIdTemplate(), registration, request));++		SPSSODescriptor spSsoDescriptor = buildSpSsoDescriptor(registration, builderFactory, request);+		entityDescriptor.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).add(spSsoDescriptor);++		return serializeToXmlString(entityDescriptor);+	}++	private String serializeToXmlString(EntityDescriptor entityDescriptor) {+		try {+			Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(entityDescriptor);+			if (marshaller == null) {+				throw new Saml2Exception("Unable to resolve Marshaller");+			}+			Element element = marshaller.marshall(entityDescriptor);+			return SerializeSupport.prettyPrintXML(element);+		} catch (MarshallingException e) {+			throw new Saml2Exception(e);+		}+	}++	private SPSSODescriptor buildSpSsoDescriptor(RelyingPartyRegistration registration,+			XMLObjectBuilderFactory builderFactory, HttpServletRequest request) {++		SPSSODescriptor spSsoDescriptor = buildObject(builderFactory, SPSSODescriptor.DEFAULT_ELEMENT_NAME);+		spSsoDescriptor.setAuthnRequestsSigned(registration.getProviderDetails().isSignAuthNRequest());+		spSsoDescriptor.setWantAssertionsSigned(true);+		spSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);++		NameIDFormat nameIdFormat = buildObject(builderFactory, NameIDFormat.DEFAULT_ELEMENT_NAME);+		nameIdFormat.setFormat(NameIDType.EMAIL);+		spSsoDescriptor.getNameIDFormats().add(nameIdFormat);++		spSsoDescriptor.getAssertionConsumerServices().add(+				buildAssertionConsumerService(registration, builderFactory, request));++		spSsoDescriptor.getKeyDescriptors().addAll(buildKeys(builderFactory,+				registration.getSigningCredentials(), UsageType.SIGNING));+		spSsoDescriptor.getKeyDescriptors().addAll(buildKeys(builderFactory,+				registration.getEncryptionCredentials(), UsageType.ENCRYPTION));++		return spSsoDescriptor;+	}++	private List<KeyDescriptor> buildKeys(XMLObjectBuilderFactory builderFactory,+			List<Saml2X509Credential> credentials, UsageType usageType) {+		return credentials

My question is if I still should change it to for?

jkubrynski

comment created time in 2 months

Pull request review commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

+/*+ * Copyright 2002-2020 the original author or authors.+ *+ * Licensed under the Apache License, Version 2.0 (the "License");+ * you may not use this file except in compliance with the License.+ * You may obtain a copy of the License at+ *+ *      https://www.apache.org/licenses/LICENSE-2.0+ *+ * Unless required by applicable law or agreed to in writing, software+ * distributed under the License is distributed on an "AS IS" BASIS,+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+ * See the License for the specific language governing permissions and+ * limitations under the License.+ */++package org.springframework.security.saml2.provider.service.servlet.filter;++import net.shibboleth.utilities.java.support.xml.SerializeSupport;+import org.opensaml.core.config.ConfigurationService;+import org.opensaml.core.xml.XMLObjectBuilder;+import org.opensaml.core.xml.XMLObjectBuilderFactory;+import org.opensaml.core.xml.config.XMLObjectProviderRegistry;+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;+import org.opensaml.core.xml.io.Marshaller;+import org.opensaml.core.xml.io.MarshallingException;+import org.opensaml.saml.common.xml.SAMLConstants;+import org.opensaml.saml.saml2.core.NameIDType;+import org.opensaml.saml.saml2.metadata.AssertionConsumerService;+import org.opensaml.saml.saml2.metadata.EntityDescriptor;+import org.opensaml.saml.saml2.metadata.KeyDescriptor;+import org.opensaml.saml.saml2.metadata.NameIDFormat;+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;+import org.opensaml.security.credential.UsageType;+import org.opensaml.xmlsec.signature.KeyInfo;+import org.opensaml.xmlsec.signature.X509Certificate;+import org.opensaml.xmlsec.signature.X509Data;+import org.springframework.security.saml2.Saml2Exception;+import org.springframework.security.saml2.credentials.Saml2X509Credential;+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;+import org.w3c.dom.Element;++import javax.servlet.http.HttpServletRequest;+import javax.xml.namespace.QName;+import java.security.cert.CertificateEncodingException;+import java.util.Base64;+import java.util.List;+import java.util.stream.Collectors;++/**+ * @author Jakub Kubrynski+ * @since 5.4+ */+class SamlMetadataGenerator {++	String generateMetadata(RelyingPartyRegistration registration, HttpServletRequest request) {++		XMLObjectBuilderFactory builderFactory = ConfigurationService.get(XMLObjectProviderRegistry.class).getBuilderFactory();++		EntityDescriptor entityDescriptor = buildObject(builderFactory, EntityDescriptor.ELEMENT_QNAME);++		entityDescriptor.setEntityID(+				resolveTemplate(registration.getLocalEntityIdTemplate(), registration, request));++		SPSSODescriptor spSsoDescriptor = buildSpSsoDescriptor(registration, builderFactory, request);+		entityDescriptor.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).add(spSsoDescriptor);++		return serializeToXmlString(entityDescriptor);+	}++	private String serializeToXmlString(EntityDescriptor entityDescriptor) {+		try {+			Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(entityDescriptor);+			if (marshaller == null) {+				throw new Saml2Exception("Unable to resolve Marshaller");+			}+			Element element = marshaller.marshall(entityDescriptor);+			return SerializeSupport.prettyPrintXML(element);+		} catch (MarshallingException e) {

I'm not sure if I'm following your idea. I can remove cause from Saml2Exception and simply log the root exception. Does it work for you?

jkubrynski

comment created time in 2 months

Pull request review commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

+/*+ * Copyright 2002-2020 the original author or authors.+ *+ * Licensed under the Apache License, Version 2.0 (the "License");+ * you may not use this file except in compliance with the License.+ * You may obtain a copy of the License at+ *+ *      https://www.apache.org/licenses/LICENSE-2.0+ *+ * Unless required by applicable law or agreed to in writing, software+ * distributed under the License is distributed on an "AS IS" BASIS,+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+ * See the License for the specific language governing permissions and+ * limitations under the License.+ */++package org.springframework.security.saml2.provider.service.servlet.filter;++import net.shibboleth.utilities.java.support.xml.SerializeSupport;+import org.opensaml.core.config.ConfigurationService;+import org.opensaml.core.xml.XMLObjectBuilder;+import org.opensaml.core.xml.XMLObjectBuilderFactory;+import org.opensaml.core.xml.config.XMLObjectProviderRegistry;+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;+import org.opensaml.core.xml.io.Marshaller;+import org.opensaml.core.xml.io.MarshallingException;+import org.opensaml.saml.common.xml.SAMLConstants;+import org.opensaml.saml.saml2.core.NameIDType;+import org.opensaml.saml.saml2.metadata.AssertionConsumerService;+import org.opensaml.saml.saml2.metadata.EntityDescriptor;+import org.opensaml.saml.saml2.metadata.KeyDescriptor;+import org.opensaml.saml.saml2.metadata.NameIDFormat;+import org.opensaml.saml.saml2.metadata.SPSSODescriptor;+import org.opensaml.security.credential.UsageType;+import org.opensaml.xmlsec.signature.KeyInfo;+import org.opensaml.xmlsec.signature.X509Certificate;+import org.opensaml.xmlsec.signature.X509Data;+import org.springframework.security.saml2.Saml2Exception;+import org.springframework.security.saml2.credentials.Saml2X509Credential;+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;+import org.w3c.dom.Element;++import javax.servlet.http.HttpServletRequest;+import javax.xml.namespace.QName;+import java.security.cert.CertificateEncodingException;+import java.util.Base64;+import java.util.List;+import java.util.stream.Collectors;++/**+ * @author Jakub Kubrynski+ * @since 5.4+ */+class SamlMetadataGenerator {++	String generateMetadata(RelyingPartyRegistration registration, HttpServletRequest request) {++		XMLObjectBuilderFactory builderFactory = ConfigurationService.get(XMLObjectProviderRegistry.class).getBuilderFactory();++		EntityDescriptor entityDescriptor = buildObject(builderFactory, EntityDescriptor.ELEMENT_QNAME);++		entityDescriptor.setEntityID(+				resolveTemplate(registration.getLocalEntityIdTemplate(), registration, request));++		SPSSODescriptor spSsoDescriptor = buildSpSsoDescriptor(registration, builderFactory, request);+		entityDescriptor.getRoleDescriptors(SPSSODescriptor.DEFAULT_ELEMENT_NAME).add(spSsoDescriptor);++		return serializeToXmlString(entityDescriptor);+	}++	private String serializeToXmlString(EntityDescriptor entityDescriptor) {+		try {+			Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(entityDescriptor);+			if (marshaller == null) {+				throw new Saml2Exception("Unable to resolve Marshaller");+			}+			Element element = marshaller.marshall(entityDescriptor);+			return SerializeSupport.prettyPrintXML(element);+		} catch (MarshallingException e) {+			throw new Saml2Exception(e);+		}+	}++	private SPSSODescriptor buildSpSsoDescriptor(RelyingPartyRegistration registration,+			XMLObjectBuilderFactory builderFactory, HttpServletRequest request) {++		SPSSODescriptor spSsoDescriptor = buildObject(builderFactory, SPSSODescriptor.DEFAULT_ELEMENT_NAME);+		spSsoDescriptor.setAuthnRequestsSigned(registration.getProviderDetails().isSignAuthNRequest());+		spSsoDescriptor.setWantAssertionsSigned(true);+		spSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);++		NameIDFormat nameIdFormat = buildObject(builderFactory, NameIDFormat.DEFAULT_ELEMENT_NAME);+		nameIdFormat.setFormat(NameIDType.EMAIL);+		spSsoDescriptor.getNameIDFormats().add(nameIdFormat);++		spSsoDescriptor.getAssertionConsumerServices().add(+				buildAssertionConsumerService(registration, builderFactory, request));++		spSsoDescriptor.getKeyDescriptors().addAll(buildKeys(builderFactory,+				registration.getSigningCredentials(), UsageType.SIGNING));+		spSsoDescriptor.getKeyDescriptors().addAll(buildKeys(builderFactory,+				registration.getEncryptionCredentials(), UsageType.ENCRYPTION));++		return spSsoDescriptor;+	}++	private List<KeyDescriptor> buildKeys(XMLObjectBuilderFactory builderFactory,+			List<Saml2X509Credential> credentials, UsageType usageType) {+		return credentials

Do be honest I don't believe in this. Some time ago I spent many hours investigating this area and it wasn't true. Please check this talk https://www.slideshare.net/KubaKubryski/jvm-dive-for-mere-mortals - slides from 50 to 54. All results were verified and discussed with Martin Thompson and Alexy Shipilev.

jkubrynski

comment created time in 3 months

push eventjkubrynski/spring-security

Jakub Kubrynski

commit sha 901a2f34d63c6f181d71cbb471369a53821ab788

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

view details

push time in 3 months

PR opened spring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

<!-- For Security Vulnerabilities, please use https://pivotal.io/security#reporting -->

<!-- Before creating new features, we recommend creating an issue to discuss the feature. This ensures that everyone is on the same page before extensive work is done.

Thanks for contributing to Spring Security. Please provide a brief description of your pull-request and reference any related issue numbers (prefix references with gh-). -->

+440 -15

0 comment

7 changed files

pr created time in 3 months

pull request commentspring-projects/spring-security

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

Verification build is not picking up new commits

jkubrynski

comment created time in 3 months

push eventjkubrynski/spring-security

Jakub Kubrynski

commit sha dcfc6763118ca36cb3d8693cea33a72dac2a52f2

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

view details

push time in 3 months

push eventjkubrynski/spring-security

Jakub Kubrynski

commit sha 06feb192f6b0c08a4b3bfd2935b3462234fafb78

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

view details

push time in 3 months

push eventjkubrynski/spring-security

Jakub Kubrynski

commit sha 144b28a2481375cd9d491f0b9de89a7516a8a6da

Split tests

view details

push time in 3 months

PR opened spring-projects/spring-security

Fix #8484 Provide mechanism for parsing IdP metadata

<!-- For Security Vulnerabilities, please use https://pivotal.io/security#reporting -->

<!-- Before creating new features, we recommend creating an issue to discuss the feature. This ensures that everyone is on the same page before extensive work is done.

Thanks for contributing to Spring Security. Please provide a brief description of your pull-request and reference any related issue numbers (prefix references with gh-). -->

+243 -0

0 comment

3 changed files

pr created time in 3 months

push eventjkubrynski/spring-security

Jakub Kubrynski

commit sha a398e7b346eadafd8aa7634846ab0e647e9f9e52

Fix #8484 Provide mechanism for parsing IdP metadata

view details

push time in 3 months

push eventjkubrynski/spring-security

Jakub Kubrynski

commit sha 86b633cd046e4c0f584a6e6ca59613acb5e3d0b9

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

view details

push time in 3 months

push eventjkubrynski/spring-security

Jakub Kubrynski

commit sha 9a558c78ee5f79506c458ba59a9333e87bd30cd5

Fix checkstyle

view details

push time in 3 months

push eventjkubrynski/spring-security

Jakub Kubrynski

commit sha a9c1d92a17feb5630708af778cc922b1034001ae

Fix #8693 Support SAML 2.0 SP Metadata Endpoints

view details

push time in 3 months

create barnchjkubrynski/spring-security

branch : features/saml-metadata-parser

created branch time in 3 months

push eventjkubrynski/spring-security

Jakub Kubrynski

commit sha 797277c08402f97b91294aa3a1b671f7cc337215

Add configuration and update docs

view details

push time in 3 months

push eventjkubrynski/spring-security

Jakub Kubrynski

commit sha 91d40476cae070241aeef3b8285003861ed1e3c6

Rewrite to filter

view details

push time in 3 months

create barnchjkubrynski/spring-security

branch : features/saml-metadata-generator

created branch time in 3 months

push eventjkubrynski/spring-security

Josh Cummings

commit sha 329999b54ad4360f7407ed5c5bd4c51bcadf99f7

Update to nimbus-jose-jwt:7.3 Fixes: gh-7061

view details

Josh Cummings

commit sha ee8182dcebb4327e20ad5e41ce18eb6bfd6e86e2

NamespaceSessionManagementTests groovy->java Issue: gh-4939

view details

Clement Ng

commit sha 491da9db03c8919d802eeb098eaa44ab0cdc35e1

Added OAuth2TokenAttributes to wrap attributes To simplify access to OAuth 2.0 token attributes Fixes gh-6498

view details

Clement Ng

commit sha cd54808718af39bbac1b613f06a0163a644afbfb

Update Opaque Token Sample and tests Issue: gh-6498

view details

Lars Grefer

commit sha 4b0fb19fff4bcdeba2033345814cc0e989eb0cfe

Use MessageDigest.isEqual() where possible fixes #7058

view details

Lars Grefer

commit sha d3d6a8743e9b17653320d967cc42d2e4dc50adba

Allow upgrading between different BCrypt encodings Fixes gh-7042

view details

Rob Winch

commit sha 742df2cd1dc30a929674e341a1366effb1327364

Polish BCrypt upgrade Issue gh-7042

view details

Lars Grefer

commit sha e95effc839c8a1e8d8faba4f7ccee5796f63a06e

Allow upgrading between different SCrypt encodings Fixes gh-7057

view details

Rob Winch

commit sha e1f155ba8998b7cd4a307c1e0a703dc6bf7e6693

Polish SCrypt Upgrade Support * Break up tests * Rename test methods to follow conventions * Fix checkstyle Issue gh-7057

view details

Édouard Hue

commit sha 3c1472501fb1f8784ade77319ac2d09a46d9dadc

Fixed validation in ClientRegistration.Builder ClientRegistration.Builder defaulted to validating as an authorization_code registration, though a custom grant type could be in use. The actual grant_type is now verified for every case. - Fixed validation in ClientRegistration.Builder - New test that fails unless the issue is fixed. Also made OAuth2AuthorizationGrantRequestEntityUtils public to help implementing custom token response clients. Fixes gh-7040

view details

Bruno Studer

commit sha 8016a193b9469f0d918937e674a25a312bd1b057

Optimize IpAddressMatcher Get rid of byte array allocation in matcher and small optimizations

view details

Eleftheria Stein

commit sha d66d895e60a7e56b4d18e0ba22aece0dac56a015

Migrate ServletApiConfigurerTests groovy->java Issue: gh-4939

view details

Vedran Pavic

commit sha 9432670f1d453cc2a8c7acef325892df79c6a9bf

Allow InMemoryOAuth2AuthorizedClientService to be constructed with a Map Fixes gh-5994

view details

Joe Grandja

commit sha 23d61d43e5abb1d375c181b53139d5ca8195f099

Polish #5994

view details

Joe Grandja

commit sha e554547593784f431723bb9c9f6a4ef9b77099c5

Revert Map constructor for InMemoryReactiveClientRegistrationRepository This commit reverts f6414e9a52f6a66dc8d21c0455c0b9ead7edc520 and partial revert of e1b095df3260c45c53408ef0a3360a7aa7c5073b. NOTE: InMemoryReactiveClientRegistrationRepository should not expose a Map constructor as it would allow the caller to pass in a 'distributed' (remote) Map, which would result in a blocking I/O operation.

view details

Lars Grefer

commit sha 7dc28ff3761c28beff947104345f1205554ad650

Use contains() instead of indexOf() != -1

view details

Lars Grefer

commit sha 43737a56bd0f4420a619c8ff563b48330d9571aa

Use foreach where possible

view details

Eleftheria Stein

commit sha 92314b0956295a42123b5b6d7e0cd6a7124ff6c8

Allow configuration of logout through nested builder Issue: gh-5557

view details

Eleftheria Stein

commit sha 1a31376ddaedda8808e1f8fbde96ea5eea392132

Allow configuration of exception handling through nested builder Issue: gh-5557

view details

Eleftheria Stein

commit sha 6986cf3ef3bd8c513539564b98b2960bce2875d4

Allow configuration of csrf through nested builder Issue: gh-5557

view details

push time in 3 months

more