Skip to content

Remove GET request support from Saml2AuthenticationTokenConverter #17108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Remove GET request support from Saml2AuthenticationTokenConverter #17108

wants to merge 1 commit into from
+23 −6

Conversation

ngocnhan-tran1996
Copy link
Contributor

@ngocnhan-tran1996 ngocnhan-tran1996 commented May 14, 2025
edited
Loading

I think we can define Boolean shouldInflate and method decode will be added

if (this.shouldInflate == null) {
	this.shouldInflate = HttpMethod.GET.matches(request.getMethod());
}

If not, this will break Saml2LoginBeanDefinitionParserTests and Saml2AuthenticationTokenConverterTests

Saml2LoginBeanDefinitionParserTests > authenticateWhenCustomAuthnRequestRepositoryThenUses() FAILED
    org.mockito.exceptions.verification.WantedButNotInvoked at Saml2LoginBeanDefinitionParserTests.java:323

Saml2LoginBeanDefinitionParserTests > authenticateWhenAuthenticationResponseValidThenAuthenticate() FAILED
    java.lang.AssertionError at Saml2LoginBeanDefinitionParserTests.java:213

Saml2LoginBeanDefinitionParserTests > authenticateWhenAuthenticationResponseValidThenAuthenticationSuccessEventPublished() FAILED
    java.lang.AssertionError at Saml2LoginBeanDefinitionParserTests.java:245

Saml2LoginBeanDefinitionParserTests > authenticateWhenCustomSecurityContextHolderStrategyThenUses() FAILED
    java.lang.AssertionError at Saml2LoginBeanDefinitionParserTests.java:228

Saml2LoginBeanDefinitionParserTests > authenticateWhenCustomAuthenticationManagerThenUses() FAILED
    java.lang.AssertionError at Saml2LoginBeanDefinitionParserTests.java:280

Issue: gh-17099

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 14, 2025
@ngocnhan-tran1996
Add shouldInflate property
Loading
Loading status checks…
e6186a1 
Signed-off-by: Tran Ngoc Nhan <[email protected]>
jzheaux
jzheaux requested changes May 15, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @ngocnhan-tran1996! I've left some feedback inline.

...g/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java
@@ -43,6 +43,8 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo

private Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> authenticationRequestRepository;

private Boolean shouldInflate;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use boolean and give it an initial value of true. We typically reserve null in Boolean for "no opinion".

...g/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java
@@ -86,16 +88,26 @@ public void setAuthenticationRequestRepository(
this.authenticationRequestRepository = authenticationRequestRepository;
}

/**
* Use the given {@code shouldInflate} to inflate request.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please indicate the default value in this JavaDoc

...g/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java
private String decode(HttpServletRequest request) {
// prevent to break passivity in Saml2LoginBeanDefinitionParserTests
if (this.shouldInflate == null) {
this.shouldInflate = HttpMethod.GET.matches(request.getMethod());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not thread-safe since multiple requests will use the same instance of this class. Please approach this in a way that does not involve updating a member variable.

...ingframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverterTests.java
@@ -61,6 +61,7 @@ public class Saml2AuthenticationTokenConverterTests {
public void convertWhenSamlResponseThenToken() {
Saml2AuthenticationTokenConverter converter = new Saml2AuthenticationTokenConverter(
this.relyingPartyRegistrationResolver);
converter.setShouldInflateResponse(false);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't alter any unit tests. In this way, we can have high confidence that the change is a passive one.

That said, I believe adding a test would be a good idea. I think we should test when shouldInflate is false and the request is a GET.

Copy link
Contributor Author

@ngocnhan-tran1996 ngocnhan-tran1996 May 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't alter any unit tests.

This is unclear to me. I've made changes on my local machine, and some tests will fail. We should either set the value to false to keep it passive, or update the expected results in the tests. Which option should we choose?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux

Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ngocnhan-tran1996 @jzheaux @spring-projects-issues