Skip to content

Remove GET request support from Saml2AuthenticationTokenConverter #17099

New issue
New issue
Closed
Closed
Remove GET request support from Saml2AuthenticationTokenConverter#17099
Assignees
jzheaux
Labels
in: saml2An issue in SAML2 modulestype: enhancementA general enhancement
@jzheaux

Description

@jzheaux
jzheaux
opened on May 13, 2025

Saml2AuthenticationTokenConverter tests if the HTTP method is GET in order to correctly translate SAMLResponse parameter.

However, neither the SAML spec nor Spring Security support processing the <saml2:Response> in a GET request. As such, we should remove this to alleviate confusion.

To keep upgrade passive, the first step is to add a property that defaults to true:

public void setShouldInflateResponse(boolean shouldInflate);

In Spring Security 8, this can be deprecated and switched to false, then in Spring Security 9 it can be removed.

  • Add setShouldInflateResponse
  • Deprecate setShouldInflateResponse

Metadata

Metadata

Assignees

Labels

in: saml2An issue in SAML2 modulestype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions