Revert "Merge branch 'spring-projects:main' into csrf-docs"

This reverts commit 938ffe8, reversing
changes made to 6e3ffd9.

Author: Junhyunny

.github/workflows/mark-duplicate-dependabot-prs.yml

@@ -1,10 +1,18 @@
-name: Mark Duplicate Dependabot PRs
+name: Mark Duplicate PRs
 
 on:
   pull_request:
     types: [closed]
 
 jobs:
+  debug:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Debug Event Payload
+        run: |
+          echo "Merged: ${{ github.event.pull_request.merged }}"
+          echo "User Login: ${{ github.event.pull_request.user.login }}"
+
   check_duplicate_prs:
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged == true && github.event.pull_request.user.login == 'dependabot[bot]'
@@ -25,7 +33,7 @@ jobs:
           DEPENDENCY_NAME: ${{ steps.extract.outputs.dependency_name }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          PRS=$(gh pr list --search 'milestone:${{ github.event.pull_request.milestone.title }} is:merged in:title "$DEPENDENCY_NAME"' --json number --jq 'map(.number) | join(",")')
+          PRS=$(gh pr list --search "milestone:${{ github.event.pull_request.milestone.title }} is:merged $DEPENDENCY_NAME" --json number --jq 'map(.number) | join(",")')
           echo "prs=$PRS" >> $GITHUB_OUTPUT
 
       - name: Label Duplicate PRs

aspects/src/test/java/org/springframework/security/authorization/method/aspectj/PreAuthorizeAspectTests.java

@@ -47,8 +47,6 @@ public class PreAuthorizeAspectTests {
 
 	private PrePostSecured prePostSecured = new PrePostSecured();
 
-	private MultipleInterfaces multiple = new MultipleInterfaces();
-
 	@BeforeEach
 	public final void setUp() {
 		MockitoAnnotations.initMocks(this);
@@ -112,12 +110,6 @@ public void nestedDenyAllPreAuthorizeDeniesAccess() {
 			.isThrownBy(() -> this.secured.myObject().denyAllMethod());
 	}
 
-	@Test
-	public void multipleInterfacesPreAuthorizeAllows() {
-		// aspectj doesn't inherit annotations
-		this.multiple.securedMethod();
-	}
-
 	interface SecuredInterface {
 
 		@PreAuthorize("hasRole('X')")
@@ -185,19 +177,4 @@ void denyAllMethod() {
 
 	}
 
-	interface AnotherSecuredInterface {
-
-		@PreAuthorize("hasRole('Y')")
-		void securedMethod();
-
-	}
-
-	static class MultipleInterfaces implements SecuredInterface, AnotherSecuredInterface {
-
-		@Override
-		public void securedMethod() {
-		}
-
-	}
-
 }

config/src/main/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistry.java

@@ -315,7 +315,7 @@ private boolean isDispatcherServlet(ServletRegistration registration) {
 		}
 	}
 
-	private static String computeErrorMessage(Collection<? extends ServletRegistration> registrations) {
+	private String computeErrorMessage(Collection<? extends ServletRegistration> registrations) {
 		String template = "This method cannot decide whether these patterns are Spring MVC patterns or not. "
 				+ "If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher); "
 				+ "otherwise, please use requestMatchers(AntPathRequestMatcher).\n\n"
@@ -509,7 +509,7 @@ static class DispatcherServletRequestMatcher implements RequestMatcher {
 		public boolean matches(HttpServletRequest request) {
 			String name = request.getHttpServletMapping().getServletName();
 			ServletRegistration registration = this.servletContext.getServletRegistration(name);
-			Assert.notNull(registration, computeErrorMessage(this.servletContext.getServletRegistrations().values()));
+			Assert.notNull(name, "Failed to find servlet [" + name + "] in the servlet context");
 			try {
 				Class<?> clazz = Class.forName(registration.getClassName());
 				return DispatcherServlet.class.isAssignableFrom(clazz);
@@ -551,12 +551,18 @@ RequestMatcher requestMatcher(HttpServletRequest request) {
 
 		@Override
 		public boolean matches(HttpServletRequest request) {
-			return requestMatcher(request).matches(request);
+			if (this.dispatcherServlet.matches(request)) {
+				return this.mvc.matches(request);
+			}
+			return this.ant.matches(request);
 		}
 
 		@Override
 		public MatchResult matcher(HttpServletRequest request) {
-			return requestMatcher(request).matcher(request);
+			if (this.dispatcherServlet.matches(request)) {
+				return this.mvc.matcher(request);
+			}
+			return this.ant.matcher(request);
 		}
 
 		@Override

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -16,13 +16,9 @@
 
 package org.springframework.security.config.annotation.web.configurers.saml2;
 
-import java.util.ArrayList;
 import java.util.LinkedHashMap;
-import java.util.List;
 import java.util.Map;
 
-import jakarta.servlet.http.HttpServletRequest;
-
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -37,7 +33,6 @@
 import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
-import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
 import org.springframework.security.saml2.provider.service.web.HttpSessionSaml2AuthenticationRequestRepository;
 import org.springframework.security.saml2.provider.service.web.OpenSamlAuthenticationTokenConverter;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository;
@@ -55,7 +50,6 @@
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
-import org.springframework.security.web.util.matcher.ParameterRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatchers;
@@ -117,13 +111,7 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 
 	private String loginPage;
 
-	private String authenticationRequestUri = "/saml2/authenticate";
-
-	private String[] authenticationRequestParams = { "registrationId={registrationId}" };
-
-	private RequestMatcher authenticationRequestMatcher = RequestMatchers.anyOf(
-			new AntPathRequestMatcher(Saml2AuthenticationRequestResolver.DEFAULT_AUTHENTICATION_REQUEST_URI),
-			new AntPathQueryRequestMatcher(this.authenticationRequestUri, this.authenticationRequestParams));
+	private String authenticationRequestUri = Saml2AuthenticationRequestResolver.DEFAULT_AUTHENTICATION_REQUEST_URI;
 
 	private Saml2AuthenticationRequestResolver authenticationRequestResolver;
 
@@ -208,31 +196,11 @@ public Saml2LoginConfigurer<B> authenticationRequestResolver(
 	 * Request
 	 * @return the {@link Saml2LoginConfigurer} for further configuration
 	 * @since 6.0
-	 * @deprecated Use {@link #authenticationRequestUriQuery} instead
 	 */
 	public Saml2LoginConfigurer<B> authenticationRequestUri(String authenticationRequestUri) {
-		return authenticationRequestUriQuery(authenticationRequestUri);
-	}
-
-	/**
-	 * Customize the URL that the SAML Authentication Request will be sent to. This method
-	 * also supports query parameters like so: <pre>
-	 * 	authenticationRequestUriQuery("/saml/authenticate?registrationId={registrationId}")
-	 * </pre> {@link RelyingPartyRegistrations}
-	 * @param authenticationRequestUriQuery the URI and query to use for the SAML 2.0
-	 * Authentication Request
-	 * @return the {@link Saml2LoginConfigurer} for further configuration
-	 * @since 6.0
-	 */
-	public Saml2LoginConfigurer<B> authenticationRequestUriQuery(String authenticationRequestUriQuery) {
-		Assert.state(authenticationRequestUriQuery.contains("{registrationId}"),
-				"authenticationRequestUri must contain {registrationId} path variable or query value");
-		String[] parts = authenticationRequestUriQuery.split("[?&]");
-		this.authenticationRequestUri = parts[0];
-		this.authenticationRequestParams = new String[parts.length - 1];
-		System.arraycopy(parts, 1, this.authenticationRequestParams, 0, parts.length - 1);
-		this.authenticationRequestMatcher = new AntPathQueryRequestMatcher(this.authenticationRequestUri,
-				this.authenticationRequestParams);
+		Assert.state(authenticationRequestUri.contains("{registrationId}"),
+				"authenticationRequestUri must contain {registrationId} path variable");
+		this.authenticationRequestUri = authenticationRequestUri;
 		return this;
 	}
 
@@ -287,7 +255,7 @@ public void init(B http) throws Exception {
 		}
 		else {
 			Map<String, String> providerUrlMap = getIdentityProviderUrlMap(this.authenticationRequestUri,
-					this.authenticationRequestParams, this.relyingPartyRegistrationRepository);
+					this.relyingPartyRegistrationRepository);
 			boolean singleProvider = providerUrlMap.size() == 1;
 			if (singleProvider) {
 				// Setup auto-redirect to provider login page
@@ -368,7 +336,8 @@ private Saml2AuthenticationRequestResolver getAuthenticationRequestResolver(B ht
 		}
 		OpenSaml4AuthenticationRequestResolver openSaml4AuthenticationRequestResolver = new OpenSaml4AuthenticationRequestResolver(
 				relyingPartyRegistrationRepository(http));
-		openSaml4AuthenticationRequestResolver.setRequestMatcher(this.authenticationRequestMatcher);
+		openSaml4AuthenticationRequestResolver
+			.setRequestMatcher(new AntPathRequestMatcher(this.authenticationRequestUri));
 		return openSaml4AuthenticationRequestResolver;
 	}
 
@@ -413,28 +382,20 @@ private void initDefaultLoginFilter(B http) {
 			return;
 		}
 		loginPageGeneratingFilter.setSaml2LoginEnabled(true);
-		loginPageGeneratingFilter
-			.setSaml2AuthenticationUrlToProviderName(this.getIdentityProviderUrlMap(this.authenticationRequestUri,
-					this.authenticationRequestParams, this.relyingPartyRegistrationRepository));
+		loginPageGeneratingFilter.setSaml2AuthenticationUrlToProviderName(
+				this.getIdentityProviderUrlMap(this.authenticationRequestUri, this.relyingPartyRegistrationRepository));
 		loginPageGeneratingFilter.setLoginPageUrl(this.getLoginPage());
 		loginPageGeneratingFilter.setFailureUrl(this.getFailureUrl());
 	}
 
 	@SuppressWarnings("unchecked")
-	private Map<String, String> getIdentityProviderUrlMap(String authRequestPrefixUrl, String[] authRequestQueryParams,
+	private Map<String, String> getIdentityProviderUrlMap(String authRequestPrefixUrl,
 			RelyingPartyRegistrationRepository idpRepo) {
 		Map<String, String> idps = new LinkedHashMap<>();
 		if (idpRepo instanceof Iterable) {
 			Iterable<RelyingPartyRegistration> repo = (Iterable<RelyingPartyRegistration>) idpRepo;
-			StringBuilder authRequestQuery = new StringBuilder("?");
-			for (String authRequestQueryParam : authRequestQueryParams) {
-				authRequestQuery.append(authRequestQueryParam + "&");
-			}
-			authRequestQuery.deleteCharAt(authRequestQuery.length() - 1);
-			String authenticationRequestUriQuery = authRequestPrefixUrl + authRequestQuery;
-			repo.forEach(
-					(p) -> idps.put(authenticationRequestUriQuery.replace("{registrationId}", p.getRegistrationId()),
-							p.getRegistrationId()));
+			repo.forEach((p) -> idps.put(authRequestPrefixUrl.replace("{registrationId}", p.getRegistrationId()),
+					p.getRegistrationId()));
 		}
 		return idps;
 	}
@@ -476,35 +437,4 @@ private <C> void setSharedObject(B http, Class<C> clazz, C object) {
 		}
 	}
 
-	static class AntPathQueryRequestMatcher implements RequestMatcher {
-
-		private final RequestMatcher matcher;
-
-		AntPathQueryRequestMatcher(String path, String... params) {
-			List<RequestMatcher> matchers = new ArrayList<>();
-			matchers.add(new AntPathRequestMatcher(path));
-			for (String param : params) {
-				String[] parts = param.split("=");
-				if (parts.length == 1) {
-					matchers.add(new ParameterRequestMatcher(parts[0]));
-				}
-				else {
-					matchers.add(new ParameterRequestMatcher(parts[0], parts[1]));
-				}
-			}
-			this.matcher = new AndRequestMatcher(matchers);
-		}
-
-		@Override
-		public boolean matches(HttpServletRequest request) {
-			return matcher(request).isMatch();
-		}
-
-		@Override
-		public MatchResult matcher(HttpServletRequest request) {
-			return this.matcher.matcher(request);
-		}
-
-	}
-
 }

config/src/main/java/org/springframework/security/config/saml2/RelyingPartyRegistrationsBeanDefinitionParser.java

@@ -39,7 +39,6 @@
 import org.springframework.core.io.ResourceLoader;
 import org.springframework.security.converter.RsaKeyConverters;
 import org.springframework.security.saml2.core.Saml2X509Credential;
-import org.springframework.security.saml2.provider.service.registration.AssertingPartyMetadata;
 import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
@@ -154,7 +153,7 @@ private static Map<String, Map<String, Object>> getAssertingParties(Element elem
 	}
 
 	private static void addVerificationCredentials(Map<String, Object> assertingParty,
-			AssertingPartyMetadata.Builder<?> builder) {
+			RelyingPartyRegistration.AssertingPartyDetails.Builder builder) {
 		List<String> verificationCertificateLocations = (List<String>) assertingParty.get(ELT_VERIFICATION_CREDENTIAL);
 		List<Saml2X509Credential> verificationCredentials = new ArrayList<>();
 		for (String certificateLocation : verificationCertificateLocations) {
@@ -164,7 +163,7 @@ private static void addVerificationCredentials(Map<String, Object> assertingPart
 	}
 
 	private static void addEncryptionCredentials(Map<String, Object> assertingParty,
-			AssertingPartyMetadata.Builder<?> builder) {
+			RelyingPartyRegistration.AssertingPartyDetails.Builder builder) {
 		List<String> encryptionCertificateLocations = (List<String>) assertingParty.get(ELT_ENCRYPTION_CREDENTIAL);
 		List<Saml2X509Credential> encryptionCredentials = new ArrayList<>();
 		for (String certificateLocation : encryptionCertificateLocations) {
@@ -221,8 +220,8 @@ private static RelyingPartyRegistration.Builder getBuilderFromMetadataLocationIf
 		}
 		else {
 			builder = RelyingPartyRegistration.withRegistrationId(registrationId)
-				.assertingPartyMetadata((apBuilder) -> buildAssertingParty(relyingPartyRegistrationElt,
-						assertingParties, apBuilder, parserContext));
+				.assertingPartyDetails((apBuilder) -> buildAssertingParty(relyingPartyRegistrationElt, assertingParties,
+						apBuilder, parserContext));
 		}
 		addRemainingProperties(relyingPartyRegistrationElt, builder);
 		return builder;
@@ -261,7 +260,7 @@ private static void addRemainingProperties(Element relyingPartyRegistrationElt,
 	}
 
 	private static void buildAssertingParty(Element relyingPartyElt, Map<String, Map<String, Object>> assertingParties,
-			AssertingPartyMetadata.Builder<?> builder, ParserContext parserContext) {
+			RelyingPartyRegistration.AssertingPartyDetails.Builder builder, ParserContext parserContext) {
 		String assertingPartyId = relyingPartyElt.getAttribute(ATT_ASSERTING_PARTY_ID);
 		if (!assertingParties.containsKey(assertingPartyId)) {
 			Object source = parserContext.extractSource(relyingPartyElt);
@@ -294,7 +293,7 @@ private static void buildAssertingParty(Element relyingPartyElt, Map<String, Map
 	}
 
 	private static void addSigningAlgorithms(Map<String, Object> assertingParty,
-			AssertingPartyMetadata.Builder<?> builder) {
+			RelyingPartyRegistration.AssertingPartyDetails.Builder builder) {
 		String signingAlgorithmsAttr = getAsString(assertingParty, ATT_SIGNING_ALGORITHMS);
 		if (StringUtils.hasText(signingAlgorithmsAttr)) {
 			List<String> signingAlgorithms = Arrays.asList(signingAlgorithmsAttr.split(","));

config/src/main/kotlin/org/springframework/security/config/annotation/web/Saml2Dsl.kt

@@ -48,7 +48,6 @@ import org.springframework.security.web.authentication.AuthenticationSuccessHand
 class Saml2Dsl {
     var relyingPartyRegistrationRepository: RelyingPartyRegistrationRepository? = null
     var loginPage: String? = null
-    var authenticationRequestUriQuery: String? = null
     var authenticationSuccessHandler: AuthenticationSuccessHandler? = null
     var authenticationFailureHandler: AuthenticationFailureHandler? = null
     var failureUrl: String? = null
@@ -89,9 +88,6 @@ class Saml2Dsl {
             defaultSuccessUrlOption?.also {
                 saml2Login.defaultSuccessUrl(defaultSuccessUrlOption!!.first, defaultSuccessUrlOption!!.second)
             }
-            authenticationRequestUriQuery?.also {
-                saml2Login.authenticationRequestUriQuery(authenticationRequestUriQuery)
-            }
             authenticationSuccessHandler?.also { saml2Login.successHandler(authenticationSuccessHandler) }
             authenticationFailureHandler?.also { saml2Login.failureHandler(authenticationFailureHandler) }
             authenticationManager?.also { saml2Login.authenticationManager(authenticationManager) }

config/src/test/java/org/springframework/security/config/annotation/web/AbstractRequestMatcherRegistryTests.java

@@ -341,19 +341,6 @@ public void matchesWhenDispatcherServletThenMvc() {
 		verifyNoMoreInteractions(mvc);
 	}
 
-	@Test
-	public void matchesWhenNoMappingThenException() {
-		MockServletContext servletContext = new MockServletContext();
-		servletContext.addServlet("default", DispatcherServlet.class).addMapping("/");
-		servletContext.addServlet("path", Servlet.class).addMapping("/services/*");
-		MvcRequestMatcher mvc = mock(MvcRequestMatcher.class);
-		AntPathRequestMatcher ant = mock(AntPathRequestMatcher.class);
-		DispatcherServletDelegatingRequestMatcher requestMatcher = new DispatcherServletDelegatingRequestMatcher(ant,
-				mvc, servletContext);
-		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/services/endpoint");
-		assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> requestMatcher.matcher(request));
-	}
-
 	private void mockMvcIntrospector(boolean isPresent) {
 		ApplicationContext context = this.matcherRegistry.getApplicationContext();
 		given(context.containsBean("mvcHandlerMappingIntrospector")).willReturn(isPresent);