spring-projects#7722: Saml2WebSsoAuthenticationFilter now sets the authentication details with AbstractAuthenticationProcessingFilter 'authenticationDetailsSource'

m.horcicko · m.horcicko · commit a524e40dbdc9 · 2019-12-12T10:16:02.000+01:00
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
@@ -177,10 +177,12 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			Response samlResponse = getSaml2Response(token);
 			Assertion assertion = validateSaml2Response(token, token.getRecipientUri(), samlResponse);
 			String username = getUsername(token, assertion);
-			return new Saml2Authentication(
+			Saml2Authentication saml2Authentication = new Saml2Authentication(
 					() -> username, token.getSaml2Response(),
 					this.authoritiesMapper.mapAuthorities(getAssertionAuthorities(assertion))
 			);
+			saml2Authentication.setDetails(authentication.getDetails());
+			return saml2Authentication;
 		} catch (Saml2AuthenticationException e) {
 			throw e;
 		} catch (Exception e) {
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilter.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilter.java
@@ -86,6 +86,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 				localSpEntityId,
 				rp.getCredentials()
 		);
+		authentication.setDetails(authenticationDetailsSource.buildDetails(request));
 		return getAuthenticationManager().authenticate(authentication);
 	}
 
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java
@@ -41,6 +41,7 @@
 import static org.springframework.security.saml2.provider.service.authentication.Saml2CryptoTestSupport.signXmlObject;
 import static org.springframework.security.saml2.provider.service.authentication.TestSaml2X509Credentials.assertingPartyCredentials;
 import static org.springframework.security.saml2.provider.service.authentication.TestSaml2X509Credentials.relyingPartyCredentials;
+import static org.springframework.test.util.AssertionErrors.assertEquals;
 import static org.springframework.test.util.AssertionErrors.assertTrue;
 import static org.springframework.util.StringUtils.hasText;
 
@@ -171,7 +172,7 @@ public void authenticateWhenOpenSAMLValidationErrorThenThrowAuthenticationExcept
 	}
 
 	@Test
-	public void authenticateWhenMissingSubjectThenThrowAuthenticationException()  {
+	public void authenticateWhenMissingSubjectThenThrowAuthenticationException() {
 		Response response = response(recipientUri, idpEntityId);
 		Assertion assertion = defaultAssertion();
 		assertion.setSubject(null);
@@ -346,6 +347,26 @@ public void authenticateWhenDecryptionKeysAreWrongThenThrowAuthenticationExcepti
 		provider.authenticate(token);
 	}
 
+	@Test
+	public void authenticateAlsoPassAlongTheAuthenticationDetailsFromAuthenticationFilter() {
+		Response response = response(recipientUri, idpEntityId);
+		Assertion assertion = defaultAssertion();
+		signXmlObject(
+				assertion,
+				assertingPartyCredentials(),
+				recipientEntityId
+		);
+		EncryptedAssertion encryptedAssertion = encryptAssertion(assertion, assertingPartyCredentials());
+		response.getEncryptedAssertions().add(encryptedAssertion);
+		token = responseXml(response, idpEntityId);
+		token.setDetails("details");
+		Authentication authentication = provider.authenticate(token);
+		assertEquals(
+				OpenSamlAuthenticationProvider.class + " should pass authentication details along",
+				"details", authentication.getDetails()
+		);
+	}
+
 	private Assertion defaultAssertion() {
 		return assertion(
 				username,
@@ -400,7 +421,7 @@ public boolean matches(Object item) {
 
 			@Override
 			public void describeTo(Description desc) {
-				String excepting = "Saml2AuthenticationException[code="+code+"; description="+description+"]";
+				String excepting = "Saml2AuthenticationException[code=" + code + "; description=" + description + "]";
 				desc.appendText(excepting);
 
 			}
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilterTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilterTests.java
@@ -23,16 +23,24 @@
 import org.junit.rules.ExpectedException;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 
 import javax.servlet.http.HttpServletResponse;
+import java.util.Base64;
 
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.argThat;
+import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
 
 public class Saml2WebSsoAuthenticationFilterTests {
 
 	private Saml2WebSsoAuthenticationFilter filter;
 	private RelyingPartyRegistrationRepository repository = mock(RelyingPartyRegistrationRepository.class);
+	private AuthenticationManager manager = mock(AuthenticationManager.class);
 	private MockHttpServletRequest request = new MockHttpServletRequest();
 	private HttpServletResponse response = new MockHttpServletResponse();
 
@@ -42,8 +50,9 @@ public class Saml2WebSsoAuthenticationFilterTests {
 	@Before
 	public void setup() {
 		filter = new Saml2WebSsoAuthenticationFilter(repository);
+		filter.setAuthenticationManager(manager);
 		request.setPathInfo("/login/saml2/sso/idp-registration-id");
-		request.setParameter("SAMLResponse", "xml-data-goes-here");
+		request.setParameter("SAMLResponse", new String(Base64.getEncoder().encode("xml-data".getBytes())));
 	}
 
 	@Test
@@ -71,5 +80,13 @@ public void requiresAuthenticationWhenCustomProcessingUrlThenReturnsTrue() {
 		Assert.assertTrue(filter.requiresAuthentication(request, response));
 	}
 
+	@Test
+	public void attemptAuthenticationAlsoSetsAuthenticationDetails() {
+		given(repository.findByRegistrationId(any())).willReturn(mock(RelyingPartyRegistration.class));
+		filter.setAuthenticationDetailsSource((request) -> "details");
+		filter.attemptAuthentication(request, response);
+		verify(manager).authenticate(argThat(argument -> argument.getDetails() == "details"));
+	}
+
 
 }

Original file line number	Diff line number	Diff line change
`@@ -86,6 +86,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ`
`86`	`86`	`localSpEntityId,`
`87`	`87`	`rp.getCredentials()`
`88`	`88`	`);`
	`89`	`+ authentication.setDetails(authenticationDetailsSource.buildDetails(request));`
`89`	`90`	`return getAuthenticationManager().authenticate(authentication);`
`90`	`91`	`}`
`91`	`92`