Use EntityId-lookup Components

Closes gh-12880

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -33,9 +33,8 @@
 import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
-import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.HttpSessionSaml2AuthenticationRequestRepository;
-import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
+import org.springframework.security.saml2.provider.service.web.OpenSamlAuthenticationTokenConverter;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
 import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
@@ -292,11 +291,6 @@ public void configure(B http) throws Exception {
 		}
 	}
 
-	private RelyingPartyRegistrationResolver relyingPartyRegistrationResolver(B http) {
-		RelyingPartyRegistrationRepository registrations = relyingPartyRegistrationRepository(http);
-		return new DefaultRelyingPartyRegistrationResolver(registrations);
-	}
-
 	RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(B http) {
 		if (this.relyingPartyRegistrationRepository == null) {
 			this.relyingPartyRegistrationRepository = getSharedOrBean(http, RelyingPartyRegistrationRepository.class);
@@ -339,7 +333,7 @@ private Saml2AuthenticationRequestResolver getAuthenticationRequestResolver(B ht
 			return bean;
 		}
 		OpenSaml4AuthenticationRequestResolver openSaml4AuthenticationRequestResolver = new OpenSaml4AuthenticationRequestResolver(
-				relyingPartyRegistrationResolver(http));
+				relyingPartyRegistrationRepository(http));
 		openSaml4AuthenticationRequestResolver
 				.setRequestMatcher(new AntPathRequestMatcher(this.authenticationRequestUri));
 		return openSaml4AuthenticationRequestResolver;
@@ -352,10 +346,14 @@ private AuthenticationConverter getAuthenticationConverter(B http) {
 		AuthenticationConverter authenticationConverterBean = getBeanOrNull(http,
 				Saml2AuthenticationTokenConverter.class);
 		if (authenticationConverterBean == null) {
-			Assert.state(this.loginProcessingUrl.contains("{registrationId}"),
-					"loginProcessingUrl must contain {registrationId} path variable");
-			return new Saml2AuthenticationTokenConverter(
-					new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository));
+			authenticationConverterBean = getBeanOrNull(http, OpenSamlAuthenticationTokenConverter.class);
+		}
+		if (authenticationConverterBean == null) {
+			OpenSamlAuthenticationTokenConverter converter = new OpenSamlAuthenticationTokenConverter(
+					this.relyingPartyRegistrationRepository);
+			converter.setAuthenticationRequestRepository(getAuthenticationRequestRepository(http));
+			converter.setRequestMatcher(createLoginProcessingUrlMatcher(this.loginProcessingUrl));
+			return converter;
 		}
 		return authenticationConverterBean;
 	}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,11 +39,10 @@
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidator;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
-import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
-import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.HttpSessionLogoutRequestRepository;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutRequestResolver;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutResponseResolver;
+import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlLogoutRequestValidatorParametersResolver;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestFilter;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestRepository;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver;
@@ -216,17 +215,12 @@ public void configure(H http) throws Exception {
 			this.logoutHandlers = logout.getLogoutHandlers();
 			this.logoutSuccessHandler = logout.getLogoutSuccessHandler();
 		}
-		RelyingPartyRegistrationResolver registrations = relyingPartyRegistrationResolver(http);
+		RelyingPartyRegistrationRepository registrations = getRelyingPartyRegistrationRepository(http);
 		http.addFilterBefore(createLogoutRequestProcessingFilter(registrations), CsrfFilter.class);
 		http.addFilterBefore(createLogoutResponseProcessingFilter(registrations), CsrfFilter.class);
 		http.addFilterBefore(createRelyingPartyLogoutFilter(registrations), LogoutFilter.class);
 	}
 
-	private RelyingPartyRegistrationResolver relyingPartyRegistrationResolver(H http) {
-		RelyingPartyRegistrationRepository registrations = getRelyingPartyRegistrationRepository(http);
-		return new DefaultRelyingPartyRegistrationResolver(registrations);
-	}
-
 	private RelyingPartyRegistrationRepository getRelyingPartyRegistrationRepository(H http) {
 		if (this.relyingPartyRegistrationRepository != null) {
 			return this.relyingPartyRegistrationRepository;
@@ -242,26 +236,29 @@ private RelyingPartyRegistrationRepository getRelyingPartyRegistrationRepository
 	}
 
 	private Saml2LogoutRequestFilter createLogoutRequestProcessingFilter(
-			RelyingPartyRegistrationResolver registrations) {
+			RelyingPartyRegistrationRepository registrations) {
 		LogoutHandler[] logoutHandlers = this.logoutHandlers.toArray(new LogoutHandler[0]);
 		Saml2LogoutResponseResolver logoutResponseResolver = createSaml2LogoutResponseResolver(registrations);
-		Saml2LogoutRequestFilter filter = new Saml2LogoutRequestFilter(registrations,
+		RequestMatcher requestMatcher = createLogoutRequestMatcher();
+		OpenSamlLogoutRequestValidatorParametersResolver parameters = new OpenSamlLogoutRequestValidatorParametersResolver(
+				registrations);
+		parameters.setRequestMatcher(requestMatcher);
+		Saml2LogoutRequestFilter filter = new Saml2LogoutRequestFilter(parameters,
 				this.logoutRequestConfigurer.logoutRequestValidator(), logoutResponseResolver, logoutHandlers);
-		filter.setLogoutRequestMatcher(createLogoutRequestMatcher());
 		filter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
 		return postProcess(filter);
 	}
 
 	private Saml2LogoutResponseFilter createLogoutResponseProcessingFilter(
-			RelyingPartyRegistrationResolver registrations) {
+			RelyingPartyRegistrationRepository registrations) {
 		Saml2LogoutResponseFilter logoutResponseFilter = new Saml2LogoutResponseFilter(registrations,
 				this.logoutResponseConfigurer.logoutResponseValidator(), this.logoutSuccessHandler);
 		logoutResponseFilter.setLogoutRequestMatcher(createLogoutResponseMatcher());
 		logoutResponseFilter.setLogoutRequestRepository(this.logoutRequestConfigurer.logoutRequestRepository);
 		return postProcess(logoutResponseFilter);
 	}
 
-	private LogoutFilter createRelyingPartyLogoutFilter(RelyingPartyRegistrationResolver registrations) {
+	private LogoutFilter createRelyingPartyLogoutFilter(RelyingPartyRegistrationRepository registrations) {
 		LogoutHandler[] logoutHandlers = this.logoutHandlers.toArray(new LogoutHandler[0]);
 		Saml2RelyingPartyInitiatedLogoutSuccessHandler logoutRequestSuccessHandler = createSaml2LogoutRequestSuccessHandler(
 				registrations);
@@ -290,15 +287,15 @@ private RequestMatcher createLogoutResponseMatcher() {
 	}
 
 	private Saml2RelyingPartyInitiatedLogoutSuccessHandler createSaml2LogoutRequestSuccessHandler(
-			RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
+			RelyingPartyRegistrationRepository registrations) {
 		Saml2LogoutRequestResolver logoutRequestResolver = this.logoutRequestConfigurer
-				.logoutRequestResolver(relyingPartyRegistrationResolver);
+				.logoutRequestResolver(registrations);
 		return new Saml2RelyingPartyInitiatedLogoutSuccessHandler(logoutRequestResolver);
 	}
 
 	private Saml2LogoutResponseResolver createSaml2LogoutResponseResolver(
-			RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
-		return this.logoutResponseConfigurer.logoutResponseResolver(relyingPartyRegistrationResolver);
+			RelyingPartyRegistrationRepository registrations) {
+		return this.logoutResponseConfigurer.logoutResponseResolver(registrations);
 	}
 
 	private <C> C getBeanOrNull(Class<C> clazz) {
@@ -385,12 +382,11 @@ private Saml2LogoutRequestValidator logoutRequestValidator() {
 			return this.logoutRequestValidator;
 		}
 
-		private Saml2LogoutRequestResolver logoutRequestResolver(
-				RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
+		private Saml2LogoutRequestResolver logoutRequestResolver(RelyingPartyRegistrationRepository registrations) {
 			if (this.logoutRequestResolver != null) {
 				return this.logoutRequestResolver;
 			}
-			return new OpenSaml4LogoutRequestResolver(relyingPartyRegistrationResolver);
+			return new OpenSaml4LogoutRequestResolver(registrations);
 		}
 
 	}
@@ -454,10 +450,9 @@ private Saml2LogoutResponseValidator logoutResponseValidator() {
 			return this.logoutResponseValidator;
 		}
 
-		private Saml2LogoutResponseResolver logoutResponseResolver(
-				RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
+		private Saml2LogoutResponseResolver logoutResponseResolver(RelyingPartyRegistrationRepository registrations) {
 			if (this.logoutResponseResolver == null) {
-				return new OpenSaml4LogoutResponseResolver(relyingPartyRegistrationResolver);
+				return new OpenSaml4LogoutResponseResolver(registrations);
 			}
 			return this.logoutResponseResolver;
 		}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java

@@ -31,7 +31,6 @@
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.ArgumentCaptor;
 
-import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.context.annotation.Bean;
@@ -91,7 +90,6 @@
 import org.springframework.web.util.UriComponentsBuilder;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.atLeastOnce;
@@ -308,12 +306,9 @@ public void authenticationRequestWhenCustomAuthenticationRequestUriRepositoryThe
 	}
 
 	@Test
-	public void saml2LoginWhenLoginProcessingUrlWithoutRegistrationIdAndDefaultAuthenticationConverterThenValidates() {
-		assertThatExceptionOfType(BeanCreationException.class)
-				.isThrownBy(() -> this.spring.register(CustomLoginProcessingUrlDefaultAuthenticationConverter.class)
-						.autowire())
-				.havingRootCause().isInstanceOf(IllegalStateException.class)
-				.withMessage("loginProcessingUrl must contain {registrationId} path variable");
+	public void saml2LoginWhenLoginProcessingUrlWithoutRegistrationIdAndDefaultAuthenticationConverterThenAutowires()
+			throws Exception {
+		this.spring.register(CustomLoginProcessingUrlDefaultAuthenticationConverter.class).autowire();
 	}
 
 	@Test