Add shouldConvertGetRequests property

Signed-off-by: Tran Ngoc Nhan <[email protected]>

Author: ngocnhan-tran1996

config/src/test/java/org/springframework/security/config/http/Saml2LoginBeanDefinitionParserTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2025 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,6 +47,7 @@
 import org.springframework.security.saml2.core.Saml2Utils;
 import org.springframework.security.saml2.core.TestSaml2X509Credentials;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
+import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;
 import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest;
@@ -74,7 +75,6 @@
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
@@ -210,11 +210,12 @@ public void authenticateWhenAuthenticationResponseValidThenAuthenticate() throws
 		// @formatter:off
 		this.mvc.perform(post("/login/saml2/sso/" + relyingPartyRegistration.getRegistrationId()).param(Saml2ParameterNames.SAML_RESPONSE, SIGNED_RESPONSE))
 				.andDo(MockMvcResultHandlers.print())
-				.andExpect(status().is3xxRedirection());
+				.andExpect(status().is2xxSuccessful());
 		// @formatter:on
 		ArgumentCaptor<Authentication> authenticationCaptor = ArgumentCaptor.forClass(Authentication.class);
-		verify(this.authenticationSuccessHandler, never()).onAuthenticationSuccess(any(), any(),
-				authenticationCaptor.capture());
+		verify(this.authenticationSuccessHandler).onAuthenticationSuccess(any(), any(), authenticationCaptor.capture());
+		Authentication authentication = authenticationCaptor.getValue();
+		assertThat(authentication.getPrincipal()).isInstanceOf(Saml2AuthenticatedPrincipal.class);
 	}
 
 	@Test
@@ -224,11 +225,12 @@ public void authenticateWhenCustomSecurityContextHolderStrategyThenUses() throws
 		// @formatter:off
 		this.mvc.perform(post("/login/saml2/sso/" + relyingPartyRegistration.getRegistrationId()).param(Saml2ParameterNames.SAML_RESPONSE, SIGNED_RESPONSE))
 				.andDo(MockMvcResultHandlers.print())
-				.andExpect(status().is3xxRedirection());
+				.andExpect(status().is2xxSuccessful());
 		// @formatter:on
 		ArgumentCaptor<Authentication> authenticationCaptor = ArgumentCaptor.forClass(Authentication.class);
-		verify(this.authenticationSuccessHandler, never()).onAuthenticationSuccess(any(), any(),
-				authenticationCaptor.capture());
+		verify(this.authenticationSuccessHandler).onAuthenticationSuccess(any(), any(), authenticationCaptor.capture());
+		Authentication authentication = authenticationCaptor.getValue();
+		assertThat(authentication.getPrincipal()).isInstanceOf(Saml2AuthenticatedPrincipal.class);
 		SecurityContextHolderStrategy strategy = this.spring.getContext().getBean(SecurityContextHolderStrategy.class);
 		verify(strategy, atLeastOnce()).getContext();
 	}
@@ -240,8 +242,9 @@ public void authenticateWhenAuthenticationResponseValidThenAuthenticationSuccess
 		// @formatter:off
 		this.mvc.perform(post("/login/saml2/sso/" + relyingPartyRegistration.getRegistrationId()).param(Saml2ParameterNames.SAML_RESPONSE, SIGNED_RESPONSE))
 				.andDo(MockMvcResultHandlers.print())
-				.andExpect(status().is3xxRedirection());
+				.andExpect(status().is2xxSuccessful());
 		// @formatter:on
+		verify(this.authenticationSuccessListener).onApplicationEvent(any(AuthenticationSuccessEvent.class));
 	}
 
 	@Test
@@ -274,8 +277,8 @@ public void authenticateWhenCustomAuthenticationManagerThenUses() throws Excepti
 		MockHttpServletRequestBuilder request = post("/login/saml2/sso/" + relyingPartyRegistration.getRegistrationId())
 				.param("SAMLResponse", SIGNED_RESPONSE);
 		// @formatter:on
-		this.mvc.perform(request).andExpect(status().is3xxRedirection()).andExpect(redirectedUrl("/login?error"));
-		verify(authenticationManager, never()).authenticate(any());
+		this.mvc.perform(request).andExpect(status().is3xxRedirection()).andExpect(redirectedUrl("/"));
+		verify(authenticationManager).authenticate(any());
 	}
 
 	@Test
@@ -317,6 +320,8 @@ public void authenticateWhenCustomAuthnRequestRepositoryThenUses() throws Except
 				SIGNED_RESPONSE);
 		this.mvc.perform(request);
 		verify(this.authenticationRequestRepository).loadAuthenticationRequest(any(HttpServletRequest.class));
+		verify(this.authenticationRequestRepository).removeAuthenticationRequest(any(HttpServletRequest.class),
+				any(HttpServletResponse.class));
 	}
 
 	@Test

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverter.java

@@ -18,6 +18,7 @@
 
 import jakarta.servlet.http.HttpServletRequest;
 
+import org.springframework.http.HttpMethod;
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
 import org.springframework.security.saml2.core.Saml2ParameterNames;
@@ -42,7 +43,7 @@ public final class Saml2AuthenticationTokenConverter implements AuthenticationCo
 
 	private Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest> authenticationRequestRepository;
 
-	private boolean shouldInflateResponse = true;
+	private boolean shouldConvertGetRequests = true;
 
 	/**
 	 * Constructs a {@link Saml2AuthenticationTokenConverter} given a strategy for
@@ -88,22 +89,26 @@ public void setAuthenticationRequestRepository(
 	}
 
 	/**
-	 * Use the given {@code shouldInflateResponse} to inflate request. Default is
-	 * {@code true}.
-	 * @param shouldInflateResponse the {@code shouldInflateResponse} to use
+	 * Use the given {@code shouldConvertGetRequests} to convert {@code GET} requests.
+	 * Default is {@code true}.
+	 * @param shouldConvertGetRequests the {@code shouldConvertGetRequests} to use
 	 * @since 7.0
 	 */
-	public void setShouldInflateResponse(boolean shouldInflateResponse) {
-		this.shouldInflateResponse = shouldInflateResponse;
+	public void setShouldConvertGetRequests(boolean shouldConvertGetRequests) {
+		this.shouldConvertGetRequests = shouldConvertGetRequests;
 	}
 
 	private String decode(HttpServletRequest request) {
 		String encoded = request.getParameter(Saml2ParameterNames.SAML_RESPONSE);
 		if (encoded == null) {
 			return null;
 		}
+		boolean isGet = HttpMethod.GET.matches(request.getMethod());
+		if (!this.shouldConvertGetRequests && isGet) {
+			return null;
+		}
 		try {
-			return Saml2Utils.withEncoded(encoded).requireBase64(true).inflate(this.shouldInflateResponse).decode();
+			return Saml2Utils.withEncoded(encoded).requireBase64(true).inflate(isGet).decode();
 		}
 		catch (Exception ex) {
 			throw new Saml2AuthenticationException(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE, ex.getMessage()),

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/Saml2AuthenticationTokenConverterTests.java

@@ -67,8 +67,7 @@ public void convertWhenSamlResponseThenToken() {
 		request.setParameter(Saml2ParameterNames.SAML_RESPONSE,
 				Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
 		Saml2AuthenticationToken token = converter.convert(request);
-		assertThat(token.getSaml2Response())
-			.isEqualTo(Saml2Utils.samlInflate("response".getBytes(StandardCharsets.UTF_8)));
+		assertThat(token.getSaml2Response()).isEqualTo("response");
 		assertThat(token.getRelyingPartyRegistration().getRegistrationId())
 			.isEqualTo(this.relyingPartyRegistration.getRegistrationId());
 	}
@@ -82,8 +81,7 @@ public void convertWhenSamlResponseWithRelyingPartyRegistrationResolver(
 		request.setParameter(Saml2ParameterNames.SAML_RESPONSE,
 				Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
 		Saml2AuthenticationToken token = converter.convert(request);
-		assertThat(token.getSaml2Response())
-			.isEqualTo(Saml2Utils.samlInflate("response".getBytes(StandardCharsets.UTF_8)));
+		assertThat(token.getSaml2Response()).isEqualTo("response");
 		assertThat(token.getRelyingPartyRegistration().getRegistrationId())
 			.isEqualTo(this.relyingPartyRegistration.getRegistrationId());
 		verify(resolver).resolve(any(), isNull());
@@ -160,18 +158,15 @@ public void convertWhenGetRequestInvalidDeflatedThenSaml2AuthenticationException
 	}
 
 	@Test
-	public void convertWhenUsingSamlUtilsBase64ThenSaml2AuthenticationException() throws Exception {
+	public void convertWhenUsingSamlUtilsBase64ThenXmlIsValid() throws Exception {
 		Saml2AuthenticationTokenConverter converter = new Saml2AuthenticationTokenConverter(
 				this.relyingPartyRegistrationResolver);
 		given(this.relyingPartyRegistrationResolver.resolve(any(HttpServletRequest.class), any()))
 			.willReturn(this.relyingPartyRegistration);
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		request.setParameter(Saml2ParameterNames.SAML_RESPONSE, getSsoCircleEncodedXml());
-		assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> converter.convert(request))
-			.withRootCauseInstanceOf(IOException.class)
-			.satisfies(
-					(ex) -> assertThat(ex.getSaml2Error().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_RESPONSE))
-			.satisfies((ex) -> assertThat(ex.getSaml2Error().getDescription()).isEqualTo("Unable to inflate string"));
+		Saml2AuthenticationToken token = converter.convert(request);
+		validateSsoCircleXml(token.getSaml2Response());
 	}
 
 	@Test
@@ -192,8 +187,7 @@ public void convertWhenSavedAuthenticationRequestThenToken() {
 		request.setParameter(Saml2ParameterNames.SAML_RESPONSE,
 				Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
 		Saml2AuthenticationToken token = converter.convert(request);
-		assertThat(token.getSaml2Response())
-			.isEqualTo(Saml2Utils.samlInflate("response".getBytes(StandardCharsets.UTF_8)));
+		assertThat(token.getSaml2Response()).isEqualTo("response");
 		assertThat(token.getRelyingPartyRegistration().getRegistrationId())
 			.isEqualTo(this.relyingPartyRegistration.getRegistrationId());
 		assertThat(token.getAuthenticationRequest()).isEqualTo(authenticationRequest);
@@ -216,8 +210,7 @@ public void convertWhenSavedAuthenticationRequestThenTokenWithRelyingPartyRegist
 		request.setParameter(Saml2ParameterNames.SAML_RESPONSE,
 				Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
 		Saml2AuthenticationToken token = converter.convert(request);
-		assertThat(token.getSaml2Response())
-			.isEqualTo(Saml2Utils.samlInflate("response".getBytes(StandardCharsets.UTF_8)));
+		assertThat(token.getSaml2Response()).isEqualTo("response");
 		assertThat(token.getRelyingPartyRegistration().getRegistrationId())
 			.isEqualTo(this.relyingPartyRegistration.getRegistrationId());
 		assertThat(token.getAuthenticationRequest()).isEqualTo(authenticationRequest);
@@ -238,20 +231,18 @@ public void setAuthenticationRequestRepositoryWhenNullThenIllegalArgument() {
 	}
 
 	@Test
-	public void convertWhenGetRequestAndShouldNotInflateResponse() {
+	public void shouldNotConvertGetRequests() {
 		Saml2AuthenticationTokenConverter converter = new Saml2AuthenticationTokenConverter(
 				this.relyingPartyRegistrationResolver);
-		converter.setShouldInflateResponse(false);
+		converter.setShouldConvertGetRequests(false);
 		given(this.relyingPartyRegistrationResolver.resolve(any(HttpServletRequest.class), any()))
 			.willReturn(this.relyingPartyRegistration);
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		request.setMethod("GET");
 		request.setParameter(Saml2ParameterNames.SAML_RESPONSE,
 				Saml2Utils.samlEncode("response".getBytes(StandardCharsets.UTF_8)));
 		Saml2AuthenticationToken token = converter.convert(request);
-		assertThat(token.getSaml2Response()).isEqualTo("response");
-		assertThat(token.getRelyingPartyRegistration().getRegistrationId())
-			.isEqualTo(this.relyingPartyRegistration.getRegistrationId());
+		assertThat(token).isNull();
 	}
 
 	private void validateSsoCircleXml(String xml) {