Add saml2Metadata

Closes gh-11828

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -73,6 +73,7 @@
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.config.annotation.web.configurers.saml2.Saml2LoginConfigurer;
 import org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer;
+import org.springframework.security.config.annotation.web.configurers.saml2.Saml2MetadataConfigurer;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -2425,6 +2426,102 @@ public Saml2LogoutConfigurer<HttpSecurity> saml2Logout() throws Exception {
 		return getOrApply(new Saml2LogoutConfigurer<>(getContext()));
 	}
 
+	/**
+	 * Configures a SAML 2.0 metadata endpoint that presents relying party configurations
+	 * in an {@code <md:EntityDescriptor>} payload.
+	 *
+	 * <p>
+	 * By default, the endpoints are {@code /saml2/metadata} and
+	 * {@code /saml2/metadata/{registrationId}} though note that also
+	 * {@code /saml2/service-provider-metadata/{registrationId}} is recognized for
+	 * backward compatibility purposes.
+	 *
+	 * <p>
+	 * <h2>Example Configuration</h2>
+	 *
+	 * The following example shows the minimal configuration required, using a
+	 * hypothetical asserting party.
+	 *
+	 * <pre>
+	 *	&#064;EnableWebSecurity
+	 *	&#064;Configuration
+	 *	public class Saml2LogoutSecurityConfig {
+	 *		&#064;Bean
+	 *		public SecurityFilterChain web(HttpSecurity http) throws Exception {
+	 *			http
+	 *				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
+	 *				.saml2Metadata(Customizer.withDefaults());
+	 *			return http.build();
+	 *		}
+	 *
+	 *		&#064;Bean
+	 *		public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
+	 *			RelyingPartyRegistration registration = RelyingPartyRegistrations
+	 *					.withMetadataLocation("https://ap.example.org/metadata")
+	 *					.registrationId("simple")
+	 *					.build();
+	 *			return new InMemoryRelyingPartyRegistrationRepository(registration);
+	 *		}
+	 *	}
+	 * </pre>
+	 * @param saml2MetadataConfigurer the {@link Customizer} to provide more options for
+	 * the {@link Saml2MetadataConfigurer}
+	 * @return the {@link HttpSecurity} for further customizations
+	 * @throws Exception
+	 * @since 6.1
+	 */
+	public HttpSecurity saml2Metadata(Customizer<Saml2MetadataConfigurer<HttpSecurity>> saml2MetadataConfigurer)
+			throws Exception {
+		saml2MetadataConfigurer.customize(getOrApply(new Saml2MetadataConfigurer<>(getContext())));
+		return HttpSecurity.this;
+	}
+
+	/**
+	 * Configures a SAML 2.0 metadata endpoint that presents relying party configurations
+	 * in an {@code <md:EntityDescriptor>} payload.
+	 *
+	 * <p>
+	 * By default, the endpoints are {@code /saml2/metadata} and
+	 * {@code /saml2/metadata/{registrationId}} though note that also
+	 * {@code /saml2/service-provider-metadata/{registrationId}} is recognized for
+	 * backward compatibility purposes.
+	 *
+	 * <p>
+	 * <h2>Example Configuration</h2>
+	 *
+	 * The following example shows the minimal configuration required, using a
+	 * hypothetical asserting party.
+	 *
+	 * <pre>
+	 *	&#064;EnableWebSecurity
+	 *	&#064;Configuration
+	 *	public class Saml2LogoutSecurityConfig {
+	 *		&#064;Bean
+	 *		public SecurityFilterChain web(HttpSecurity http) throws Exception {
+	 *			http
+	 *				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
+	 *				.saml2Metadata(Customizer.withDefaults());
+	 *			return http.build();
+	 *		}
+	 *
+	 *		&#064;Bean
+	 *		public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
+	 *			RelyingPartyRegistration registration = RelyingPartyRegistrations
+	 *					.withMetadataLocation("https://ap.example.org/metadata")
+	 *					.registrationId("simple")
+	 *					.build();
+	 *			return new InMemoryRelyingPartyRegistrationRepository(registration);
+	 *		}
+	 *	}
+	 * </pre>
+	 * @return the {@link Saml2MetadataConfigurer} for further customizations
+	 * @throws Exception
+	 * @since 6.1
+	 */
+	public Saml2MetadataConfigurer<HttpSecurity> saml2Metadata() throws Exception {
+		return getOrApply(new Saml2MetadataConfigurer<>(getContext()));
+	}
+
 	/**
 	 * Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0
 	 * Provider. <br>

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2MetadataConfigurer.java

@@ -0,0 +1,169 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.configurers.saml2;
+
+import java.util.function.Function;
+
+import org.springframework.context.ApplicationContext;
+import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.saml2.provider.service.metadata.OpenSamlMetadataResolver;
+import org.springframework.security.saml2.provider.service.metadata.RequestMatcherMetadataResponseResolver;
+import org.springframework.security.saml2.provider.service.metadata.Saml2MetadataResponseResolver;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.util.Assert;
+
+/**
+ * An {@link AbstractHttpConfigurer} for SAML 2.0 Metadata.
+ *
+ * <p>
+ * SAML 2.0 Metadata provides an application with the capability to publish configuration
+ * information as a {@code <md:EntityDescriptor>} or {@code <md:EntitiesDescriptor>}.
+ *
+ * <p>
+ * Defaults are provided for all configuration options with the only required
+ * configuration being a {@link Saml2LoginConfigurer#relyingPartyRegistrationRepository}.
+ * Alternatively, a {@link RelyingPartyRegistrationRepository} {@code @Bean} may be
+ * registered instead.
+ *
+ * <h2>Security Filters</h2>
+ *
+ * The following {@code Filter} is populated:
+ *
+ * <ul>
+ * <li>{@link Saml2MetadataFilter}</li>
+ * </ul>
+ *
+ * <h2>Shared Objects Created</h2>
+ *
+ * none
+ *
+ * <h2>Shared Objects Used</h2>
+ *
+ * The following shared objects are used:
+ *
+ * <ul>
+ * <li>{@link RelyingPartyRegistrationRepository} (required)</li>
+ * </ul>
+ *
+ * @since 6.1
+ * @see HttpSecurity#saml2Metadata()
+ * @see Saml2MetadataFilter
+ * @see RelyingPartyRegistrationRepository
+ */
+public class Saml2MetadataConfigurer<H extends HttpSecurityBuilder<H>>
+		extends AbstractHttpConfigurer<Saml2LogoutConfigurer<H>, H> {
+
+	private final ApplicationContext context;
+
+	private Function<RelyingPartyRegistrationRepository, Saml2MetadataResponseResolver> metadataResponseResolver;
+
+	public Saml2MetadataConfigurer(ApplicationContext context) {
+		this.context = context;
+	}
+
+	/**
+	 * Use this endpoint to request relying party metadata.
+	 *
+	 * <p>
+	 * If you specify a {@code registrationId} placeholder in the URL, then the filter
+	 * will lookup a {@link RelyingPartyRegistration} using that.
+	 *
+	 * <p>
+	 * If there is no {@code registrationId} and your
+	 * {@link RelyingPartyRegistrationRepository} is {code Iterable}, the metadata
+	 * endpoint will try and show all relying parties' metadata in a single
+	 * {@code <md:EntitiesDecriptor} element.
+	 *
+	 * <p>
+	 * If you need a more sophisticated lookup strategy than these, use
+	 * {@link #metadataResponseResolver} instead.
+	 * @param metadataUrl the url to use
+	 * @return the {@link Saml2MetadataConfigurer} for more customizations
+	 */
+	public Saml2MetadataConfigurer<H> metadataUrl(String metadataUrl) {
+		Assert.hasText(metadataUrl, "metadataUrl cannot be empty");
+		this.metadataResponseResolver = (registrations) -> {
+			RequestMatcherMetadataResponseResolver metadata = new RequestMatcherMetadataResponseResolver(registrations,
+					new OpenSamlMetadataResolver());
+			metadata.setRequestMatcher(new AntPathRequestMatcher(metadataUrl));
+			return metadata;
+		};
+		return this;
+	}
+
+	/**
+	 * Use this {@link Saml2MetadataResponseResolver} to parse the request and respond
+	 * with SAML 2.0 metadata.
+	 * @param metadataResponseResolver to use
+	 * @return the {@link Saml2MetadataConfigurer} for more customizations
+	 */
+	public Saml2MetadataConfigurer<H> metadataResponseResolver(Saml2MetadataResponseResolver metadataResponseResolver) {
+		Assert.notNull(metadataResponseResolver, "metadataResponseResolver cannot be null");
+		this.metadataResponseResolver = (registrations) -> metadataResponseResolver;
+		return this;
+	}
+
+	public H and() {
+		return getBuilder();
+	}
+
+	@Override
+	public void configure(H http) throws Exception {
+		Saml2MetadataResponseResolver metadataResponseResolver = createMetadataResponseResolver(http);
+		http.addFilterBefore(new Saml2MetadataFilter(metadataResponseResolver), BasicAuthenticationFilter.class);
+	}
+
+	private Saml2MetadataResponseResolver createMetadataResponseResolver(H http) {
+		if (this.metadataResponseResolver != null) {
+			RelyingPartyRegistrationRepository registrations = getRelyingPartyRegistrationRepository(http);
+			return this.metadataResponseResolver.apply(registrations);
+		}
+		Saml2MetadataResponseResolver metadataResponseResolver = getBeanOrNull(Saml2MetadataResponseResolver.class);
+		if (metadataResponseResolver != null) {
+			return metadataResponseResolver;
+		}
+		RelyingPartyRegistrationRepository registrations = getRelyingPartyRegistrationRepository(http);
+		return new RequestMatcherMetadataResponseResolver(registrations, new OpenSamlMetadataResolver());
+	}
+
+	private RelyingPartyRegistrationRepository getRelyingPartyRegistrationRepository(H http) {
+		Saml2LoginConfigurer<H> login = http.getConfigurer(Saml2LoginConfigurer.class);
+		if (login != null) {
+			return login.relyingPartyRegistrationRepository(http);
+		}
+		else {
+			return getBeanOrNull(RelyingPartyRegistrationRepository.class);
+		}
+	}
+
+	private <C> C getBeanOrNull(Class<C> clazz) {
+		if (this.context == null) {
+			return null;
+		}
+		if (this.context.getBeanNamesForType(clazz).length == 0) {
+			return null;
+		}
+		return this.context.getBean(clazz);
+	}
+
+}

config/src/main/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDsl.kt

@@ -677,6 +677,43 @@ class HttpSecurityDsl(private val http: HttpSecurity, private val init: HttpSecu
         this.http.saml2Login(saml2LoginCustomizer)
     }
 
+	/**
+	 * Configures a SAML 2.0 relying party metadata endpoint.
+	 *
+	 * A [RelyingPartyRegistrationRepository] is required and must be registered with
+	 * the [ApplicationContext] or configured via
+	 * [Saml2Dsl.relyingPartyRegistrationRepository]
+	 *
+	 * Example:
+	 *
+	 * The following example shows the minimal configuration required, using a
+	 * hypothetical asserting party.
+	 *
+	 * ```
+	 * @Configuration
+	 * @EnableWebSecurity
+	 * class SecurityConfig {
+	 *
+	 *     @Bean
+	 *     fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+	 *         http {
+	 *             saml2Login { }
+	 *             saml2Metadata { }
+	 *         }
+	 *         return http.build()
+	 *     }
+	 * }
+	 * ```
+	 * @param saml2MetadataConfiguration custom configuration to configure the
+	 * SAML2 relying party metadata endpoint
+	 * @see [Saml2MetadataDsl]
+	 * @since 6.1
+	 */
+	fun saml2Metadata(saml2MetadataConfiguration: Saml2MetadataDsl.() -> Unit) {
+		val saml2MetadataCustomizer = Saml2MetadataDsl().apply(saml2MetadataConfiguration).get()
+		this.http.saml2Metadata(saml2MetadataCustomizer)
+	}
+
     /**
      * Allows configuring how an anonymous user is represented.
      *

config/src/main/kotlin/org/springframework/security/config/annotation/web/Saml2MetadataDsl.kt

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web
+
+import org.springframework.security.authentication.AuthenticationManagerResolver
+import org.springframework.security.config.annotation.web.builders.HttpSecurity
+import org.springframework.security.config.annotation.web.oauth2.resourceserver.JwtDsl
+import org.springframework.security.config.annotation.web.oauth2.resourceserver.OpaqueTokenDsl
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer
+import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver
+import org.springframework.security.web.AuthenticationEntryPoint
+import org.springframework.security.web.access.AccessDeniedHandler
+import jakarta.servlet.http.HttpServletRequest
+import org.springframework.security.config.annotation.web.configurers.saml2.Saml2MetadataConfigurer
+import org.springframework.security.saml2.provider.service.metadata.Saml2MetadataResponseResolver
+
+/**
+ * A Kotlin DSL to configure [HttpSecurity] SAML 2.0 relying party metadata support using
+ * idiomatic Kotlin code.
+ *
+ * @author Josh Cummings
+ * @since 6.1
+ * @property metadataUrl the name of the relying party metadata endpoint; defaults to `/saml2/metadata` and `/saml2/metadata/{registrationId}`
+ * @property metadataResponseResolver the [Saml2MetadataResponseResolver] to use for resolving the
+ * metadata request into metadata
+ */
+@SecurityMarker
+class Saml2MetadataDsl {
+    var metadataUrl: String? = null
+    var metadataResponseResolver: Saml2MetadataResponseResolver? = null
+
+    internal fun get(): (Saml2MetadataConfigurer<HttpSecurity>) -> Unit {
+        return { saml2Metadata ->
+            metadataResponseResolver?.also { saml2Metadata.metadataResponseResolver(metadataResponseResolver) }
+            metadataUrl?.also { saml2Metadata.metadataUrl(metadataUrl) }
+        }
+    }
+}