Add Saml2ParameterNames

Closes gh-10270

Author: jzheaux

etc/checkstyle/checkstyle-suppressions.xml

@@ -29,6 +29,7 @@
 	<suppress files="OAuth2IntrospectionClaimNames\.java" checks="InterfaceIsType"/>
 	<suppress files="OAuth2TokenIntrospectionClaimNames\.java" checks="InterfaceIsType"/>
 	<suppress files="Saml2ErrorCodes\.java" checks="InterfaceIsType"/>
+	<suppress files="Saml2ParameterNames\.java" checks="InterfaceIsType"/>
 
 	<!-- Method Visibility that we can't reduce -->
 	<suppress files="AbstractAclVoterTests\.java" checks="SpringMethodVisibility"/>

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2ParameterNames.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.core;
+
+/**
+ * Standard parameter names defined in the SAML 2.0 Specification and used by the
+ * Authentication Request, Assertion Consumer Response, Logout Request, and Logout
+ * Response endpoints.
+ *
+ * @author Josh Cummings
+ * @since 5.6
+ * @see <a target="_blank" href=
+ * "https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf">SAML 2.0
+ * Bindings</a>
+ */
+public interface Saml2ParameterNames {
+
+	/**
+	 * {@code SAMLRequest} - used to request authentication or request logout
+	 */
+	String SAML_REQUEST = "SAMLRequest";
+
+	/**
+	 * {@code SAMLResponse} - used to respond to an authentication or logout request
+	 */
+	String SAML_RESPONSE = "SAMLResponse";
+
+	/**
+	 * {@code RelayState} - used to communicate shared state between the relying and
+	 * asserting party
+	 * @see <a target="_blank" href=
+	 * "https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf#page=8">3.1.1
+	 * Use of RelayState</a>
+	 */
+	String RELAY_STATE = "RelayState";
+
+	/**
+	 * {@code SigAlg} - used to communicate which signature algorithm to use to verify
+	 * signature
+	 */
+	String SIG_ALG = "SigAlg";
+
+	/**
+	 * {@code Signature} - used to supply cryptographic signature on any SAML 2.0 payload
+	 */
+	String SIGNATURE = "Signature";
+
+}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlSigningUtils.java

@@ -51,6 +51,7 @@
 import org.w3c.dom.Element;
 
 import org.springframework.security.saml2.Saml2Exception;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.util.Assert;
@@ -165,7 +166,7 @@ Map<String, String> parameters() {
 			SignatureSigningParameters parameters = resolveSigningParameters(this.registration);
 			Credential credential = parameters.getSigningCredential();
 			String algorithmUri = parameters.getSignatureAlgorithm();
-			this.components.put("SigAlg", algorithmUri);
+			this.components.put(Saml2ParameterNames.SIG_ALG, algorithmUri);
 			UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
 			for (Map.Entry<String, String> component : this.components.entrySet()) {
 				builder.queryParam(component.getKey(),
@@ -176,7 +177,7 @@ Map<String, String> parameters() {
 				byte[] rawSignature = XMLSigningUtil.signWithURI(credential, algorithmUri,
 						queryString.getBytes(StandardCharsets.UTF_8));
 				String b64Signature = Saml2Utils.samlEncode(rawSignature);
-				this.components.put("Signature", b64Signature);
+				this.components.put(Saml2ParameterNames.SIGNATURE, b64Signature);
 			}
 			catch (SecurityException ex) {
 				throw new Saml2Exception(ex);

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlVerificationUtils.java

@@ -48,6 +48,7 @@
 
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.Saml2ResponseValidatorResult;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -176,34 +177,39 @@ private static class RedirectSignature {
 			}
 
 			String getAlgorithm() {
-				return this.request.getParameter("SigAlg");
+				return this.request.getParameter(Saml2ParameterNames.SIG_ALG);
 			}
 
 			byte[] getContent() {
-				if (this.request.getParameter("RelayState") != null) {
-					return String.format("%s=%s&RelayState=%s&SigAlg=%s", this.objectParameterName,
-							UriUtils.encode(this.request.getParameter(this.objectParameterName),
-									StandardCharsets.ISO_8859_1),
-							UriUtils.encode(this.request.getParameter("RelayState"), StandardCharsets.ISO_8859_1),
-							UriUtils.encode(getAlgorithm(), StandardCharsets.ISO_8859_1))
+				if (this.request.getParameter(Saml2ParameterNames.RELAY_STATE) != null) {
+					return String
+							.format("%s=%s&%s=%s&%s=%s", this.objectParameterName,
+									UriUtils.encode(this.request.getParameter(this.objectParameterName),
+											StandardCharsets.ISO_8859_1),
+									Saml2ParameterNames.RELAY_STATE,
+									UriUtils.encode(this.request.getParameter(Saml2ParameterNames.RELAY_STATE),
+											StandardCharsets.ISO_8859_1),
+									Saml2ParameterNames.SIG_ALG,
+									UriUtils.encode(getAlgorithm(), StandardCharsets.ISO_8859_1))
 							.getBytes(StandardCharsets.UTF_8);
 				}
 				else {
 					return String
-							.format("%s=%s&SigAlg=%s", this.objectParameterName,
+							.format("%s=%s&%s=%s", this.objectParameterName,
 									UriUtils.encode(this.request.getParameter(this.objectParameterName),
 											StandardCharsets.ISO_8859_1),
+									Saml2ParameterNames.SIG_ALG,
 									UriUtils.encode(getAlgorithm(), StandardCharsets.ISO_8859_1))
 							.getBytes(StandardCharsets.UTF_8);
 				}
 			}
 
 			byte[] getSignature() {
-				return Saml2Utils.samlDecode(this.request.getParameter("Signature"));
+				return Saml2Utils.samlDecode(this.request.getParameter(Saml2ParameterNames.SIGNATURE));
 			}
 
 			boolean hasSignature() {
-				return this.request.getParameter("Signature") != null;
+				return this.request.getParameter(Saml2ParameterNames.SIGNATURE) != null;
 			}
 
 		}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlVerificationUtils.java

@@ -47,6 +47,7 @@
 
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.web.util.UriUtils;
@@ -179,44 +180,40 @@ private static class RedirectSignature {
 			private final byte[] content;
 
 			RedirectSignature(Saml2LogoutRequest request) {
-				this.algorithm = request.getParameter("SigAlg");
-				if (request.getParameter("Signature") != null) {
-					this.signature = Saml2Utils.samlDecode(request.getParameter("Signature"));
+				this.algorithm = request.getParameter(Saml2ParameterNames.SIG_ALG);
+				if (request.getParameter(Saml2ParameterNames.SIGNATURE) != null) {
+					this.signature = Saml2Utils.samlDecode(request.getParameter(Saml2ParameterNames.SIGNATURE));
 				}
 				else {
 					this.signature = null;
 				}
-				this.content = content(request.getSamlRequest(), "SAMLRequest", request.getRelayState(),
-						request.getParameter("SigAlg"));
+				this.content = content(request.getSamlRequest(), Saml2ParameterNames.SAML_REQUEST,
+						request.getRelayState(), request.getParameter(Saml2ParameterNames.SIG_ALG));
 			}
 
 			RedirectSignature(Saml2LogoutResponse response) {
-				this.algorithm = response.getParameter("SigAlg");
-				if (response.getParameter("Signature") != null) {
-					this.signature = Saml2Utils.samlDecode(response.getParameter("Signature"));
+				this.algorithm = response.getParameter(Saml2ParameterNames.SIG_ALG);
+				if (response.getParameter(Saml2ParameterNames.SIGNATURE) != null) {
+					this.signature = Saml2Utils.samlDecode(response.getParameter(Saml2ParameterNames.SIGNATURE));
 				}
 				else {
 					this.signature = null;
 				}
-				this.content = content(response.getSamlResponse(), "SAMLResponse", response.getRelayState(),
-						response.getParameter("SigAlg"));
+				this.content = content(response.getSamlResponse(), Saml2ParameterNames.SAML_RESPONSE,
+						response.getRelayState(), response.getParameter(Saml2ParameterNames.SIG_ALG));
 			}
 
 			static byte[] content(String samlObject, String objectParameterName, String relayState, String algorithm) {
 				if (relayState != null) {
-					return String
-							.format("%s=%s&RelayState=%s&SigAlg=%s", objectParameterName,
-									UriUtils.encode(samlObject, StandardCharsets.ISO_8859_1),
-									UriUtils.encode(relayState, StandardCharsets.ISO_8859_1),
-									UriUtils.encode(algorithm, StandardCharsets.ISO_8859_1))
-							.getBytes(StandardCharsets.UTF_8);
+					return String.format("%s=%s&%s=%s&%s=%s", objectParameterName,
+							UriUtils.encode(samlObject, StandardCharsets.ISO_8859_1), Saml2ParameterNames.RELAY_STATE,
+							UriUtils.encode(relayState, StandardCharsets.ISO_8859_1), Saml2ParameterNames.SIG_ALG,
+							UriUtils.encode(algorithm, StandardCharsets.ISO_8859_1)).getBytes(StandardCharsets.UTF_8);
 				}
 				else {
-					return String
-							.format("%s=%s&SigAlg=%s", objectParameterName,
-									UriUtils.encode(samlObject, StandardCharsets.ISO_8859_1),
-									UriUtils.encode(algorithm, StandardCharsets.ISO_8859_1))
-							.getBytes(StandardCharsets.UTF_8);
+					return String.format("%s=%s&%s=%s", objectParameterName,
+							UriUtils.encode(samlObject, StandardCharsets.ISO_8859_1), Saml2ParameterNames.SIG_ALG,
+							UriUtils.encode(algorithm, StandardCharsets.ISO_8859_1)).getBytes(StandardCharsets.UTF_8);
 				}
 			}
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/Saml2LogoutRequest.java

@@ -22,6 +22,7 @@
 import java.util.Map;
 import java.util.function.Consumer;
 
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver;
@@ -84,15 +85,15 @@ public Saml2MessageBinding getBinding() {
 	 * @return the signed and serialized <saml2:LogoutRequest> payload
 	 */
 	public String getSamlRequest() {
-		return this.parameters.get("SAMLRequest");
+		return this.parameters.get(Saml2ParameterNames.SAML_REQUEST);
 	}
 
 	/**
 	 * The relay state associated with this Logout Request
 	 * @return the relay state
 	 */
 	public String getRelayState() {
-		return this.parameters.get("RelayState");
+		return this.parameters.get(Saml2ParameterNames.RELAY_STATE);
 	}
 
 	/**
@@ -170,7 +171,7 @@ private Builder(RelyingPartyRegistration registration) {
 		 * @see Saml2LogoutRequestResolver
 		 */
 		public Builder samlRequest(String samlRequest) {
-			this.parameters.put("SAMLRequest", samlRequest);
+			this.parameters.put(Saml2ParameterNames.SAML_REQUEST, samlRequest);
 			return this;
 		}
 
@@ -207,7 +208,7 @@ public Builder location(String location) {
 		 * @return the {@link Builder} for further configurations
 		 */
 		public Builder relayState(String relayState) {
-			this.parameters.put("RelayState", relayState);
+			this.parameters.put(Saml2ParameterNames.RELAY_STATE, relayState);
 			return this;
 		}
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/Saml2LogoutResponse.java

@@ -21,6 +21,7 @@
 import java.util.Map;
 import java.util.function.Consumer;
 
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutResponseResolver;
@@ -68,15 +69,15 @@ public Saml2MessageBinding getBinding() {
 	 * @return the signed and serialized <saml2:LogoutResponse> payload
 	 */
 	public String getSamlResponse() {
-		return this.parameters.get("SAMLResponse");
+		return this.parameters.get(Saml2ParameterNames.SAML_RESPONSE);
 	}
 
 	/**
 	 * The relay state associated with this Logout Request
 	 * @return the relay state
 	 */
 	public String getRelayState() {
-		return this.parameters.get("RelayState");
+		return this.parameters.get(Saml2ParameterNames.RELAY_STATE);
 	}
 
 	/**
@@ -140,7 +141,7 @@ private Builder(RelyingPartyRegistration registration) {
 		 * @see Saml2LogoutResponseResolver
 		 */
 		public Builder samlResponse(String samlResponse) {
-			this.parameters.put("SAMLResponse", samlResponse);
+			this.parameters.put(Saml2ParameterNames.SAML_RESPONSE, samlResponse);
 			return this;
 		}
 
@@ -177,7 +178,7 @@ public Builder location(String location) {
 		 * @return the {@link Builder} for further configurations
 		 */
 		public Builder relayState(String relayState) {
-			this.parameters.put("RelayState", relayState);
+			this.parameters.put(Saml2ParameterNames.RELAY_STATE, relayState);
 			return this;
 		}
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilter.java

@@ -23,6 +23,7 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
@@ -96,7 +97,7 @@ public Saml2WebSsoAuthenticationFilter(AuthenticationConverter authenticationCon
 	@Override
 	protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
 		return (super.requiresAuthentication(request, response)
-				&& StringUtils.hasText(request.getParameter("SAMLResponse")));
+				&& StringUtils.hasText(request.getParameter(Saml2ParameterNames.SAML_RESPONSE)));
 	}
 
 	@Override

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationRequestFilter.java

@@ -27,6 +27,7 @@
 import org.opensaml.core.Version;
 
 import org.springframework.http.MediaType;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestContext;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory;
@@ -200,10 +201,10 @@ private void sendRedirect(HttpServletRequest request, HttpServletResponse respon
 		this.authenticationRequestRepository.saveAuthenticationRequest(authenticationRequest, request, response);
 		UriComponentsBuilder uriBuilder = UriComponentsBuilder
 				.fromUriString(authenticationRequest.getAuthenticationRequestUri());
-		addParameter("SAMLRequest", authenticationRequest.getSamlRequest(), uriBuilder);
-		addParameter("RelayState", authenticationRequest.getRelayState(), uriBuilder);
-		addParameter("SigAlg", authenticationRequest.getSigAlg(), uriBuilder);
-		addParameter("Signature", authenticationRequest.getSignature(), uriBuilder);
+		addParameter(Saml2ParameterNames.SAML_REQUEST, authenticationRequest.getSamlRequest(), uriBuilder);
+		addParameter(Saml2ParameterNames.RELAY_STATE, authenticationRequest.getRelayState(), uriBuilder);
+		addParameter(Saml2ParameterNames.SIG_ALG, authenticationRequest.getSigAlg(), uriBuilder);
+		addParameter(Saml2ParameterNames.SIGNATURE, authenticationRequest.getSignature(), uriBuilder);
 		String redirectUrl = uriBuilder.build(true).toUriString();
 		response.sendRedirect(redirectUrl);
 	}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/DefaultSaml2AuthenticationRequestContextResolver.java

@@ -22,6 +22,7 @@
 import org.apache.commons.logging.LogFactory;
 
 import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestContext;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.util.Assert;
@@ -80,7 +81,7 @@ private Saml2AuthenticationRequestContext createRedirectAuthenticationRequestCon
 		return Saml2AuthenticationRequestContext.builder().issuer(relyingParty.getEntityId())
 				.relyingPartyRegistration(relyingParty)
 				.assertionConsumerServiceUrl(relyingParty.getAssertionConsumerServiceLocation())
-				.relayState(request.getParameter("RelayState")).build();
+				.relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE)).build();
 	}
 
 }