Add query parameter support for authn requests

jzheaux · jzheaux · commit a9f98e814d73 · 2024-07-01T20:33:58.000-06:00
Closes spring-projectsgh-15017
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java
@@ -16,9 +16,13 @@
 
 package org.springframework.security.config.annotation.web.configurers.saml2;
 
+import java.util.ArrayList;
 import java.util.LinkedHashMap;
+import java.util.List;
 import java.util.Map;
 
+import jakarta.servlet.http.HttpServletRequest;
+
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -50,6 +54,7 @@
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.ParameterRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatchers;
@@ -113,6 +118,8 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 
 	private String authenticationRequestUri = Saml2AuthenticationRequestResolver.DEFAULT_AUTHENTICATION_REQUEST_URI;
 
+	private String[] authenticationRequestParams = new String[0];
+
 	private Saml2AuthenticationRequestResolver authenticationRequestResolver;
 
 	private RequestMatcher loginProcessingUrl = RequestMatchers.anyOf(
@@ -198,12 +205,36 @@ public Saml2LoginConfigurer<B> authenticationRequestResolver(
 	 * @since 6.0
 	 */
 	public Saml2LoginConfigurer<B> authenticationRequestUri(String authenticationRequestUri) {
-		Assert.state(authenticationRequestUri.contains("{registrationId}"),
-				"authenticationRequestUri must contain {registrationId} path variable");
+		return authenticationRequestUri(authenticationRequestUri, new String[0]);
+	}
+
+	/**
+	 * Customize the URL that the SAML Authentication Request will be sent to.
+	 * @param authenticationRequestUri the URI to use for the SAML 2.0 Authentication
+	 * Request
+	 * @param authenticationRequestParams any parameters to match on, of the form
+	 * {@code name=value}
+	 * @return the {@link Saml2LoginConfigurer} for further configuration
+	 * @since 6.0
+	 */
+	public Saml2LoginConfigurer<B> authenticationRequestUri(String authenticationRequestUri,
+			String... authenticationRequestParams) {
+		Assert.state(authenticationRequestUri.contains("{registrationId}") || anyContains(authenticationRequestParams),
+				"authenticationRequestUri or an authenticationRequestParam must contain {registrationId} path variable");
 		this.authenticationRequestUri = authenticationRequestUri;
+		this.authenticationRequestParams = authenticationRequestParams;
 		return this;
 	}
 
+	private static boolean anyContains(String[] authenticationRequestParams) {
+		for (String param : authenticationRequestParams) {
+			if (param.contains("{registrationId}")) {
+				return true;
+			}
+		}
+		return false;
+	}
+
 	/**
 	 * Specifies the URL to validate the credentials. If specified a custom URL, consider
 	 * specifying a custom {@link AuthenticationConverter} via
@@ -255,7 +286,7 @@ public void init(B http) throws Exception {
 		}
 		else {
 			Map<String, String> providerUrlMap = getIdentityProviderUrlMap(this.authenticationRequestUri,
-					this.relyingPartyRegistrationRepository);
+					this.authenticationRequestParams, this.relyingPartyRegistrationRepository);
 			boolean singleProvider = providerUrlMap.size() == 1;
 			if (singleProvider) {
 				// Setup auto-redirect to provider login page
@@ -336,8 +367,14 @@ private Saml2AuthenticationRequestResolver getAuthenticationRequestResolver(B ht
 		}
 		OpenSaml4AuthenticationRequestResolver openSaml4AuthenticationRequestResolver = new OpenSaml4AuthenticationRequestResolver(
 				relyingPartyRegistrationRepository(http));
-		openSaml4AuthenticationRequestResolver
-			.setRequestMatcher(new AntPathRequestMatcher(this.authenticationRequestUri));
+		if (this.authenticationRequestParams.length > 0) {
+			openSaml4AuthenticationRequestResolver.setRequestMatcher(
+					new AntPathQueryRequestMatcher(this.authenticationRequestUri, this.authenticationRequestParams));
+		}
+		else {
+			openSaml4AuthenticationRequestResolver
+				.setRequestMatcher(new AntPathRequestMatcher(this.authenticationRequestUri));
+		}
 		return openSaml4AuthenticationRequestResolver;
 	}
 
@@ -383,18 +420,24 @@ private void initDefaultLoginFilter(B http) {
 		}
 		loginPageGeneratingFilter.setSaml2LoginEnabled(true);
 		loginPageGeneratingFilter.setSaml2AuthenticationUrlToProviderName(
-				this.getIdentityProviderUrlMap(this.authenticationRequestUri, this.relyingPartyRegistrationRepository));
+				this.getIdentityProviderUrlMap(this.authenticationRequestUri, this.authenticationRequestParams, this.relyingPartyRegistrationRepository));
 		loginPageGeneratingFilter.setLoginPageUrl(this.getLoginPage());
 		loginPageGeneratingFilter.setFailureUrl(this.getFailureUrl());
 	}
 
 	@SuppressWarnings("unchecked")
-	private Map<String, String> getIdentityProviderUrlMap(String authRequestPrefixUrl,
+	private Map<String, String> getIdentityProviderUrlMap(String authRequestPrefixUrl, String[] authRequestQueryParams,
 			RelyingPartyRegistrationRepository idpRepo) {
 		Map<String, String> idps = new LinkedHashMap<>();
 		if (idpRepo instanceof Iterable) {
 			Iterable<RelyingPartyRegistration> repo = (Iterable<RelyingPartyRegistration>) idpRepo;
-			repo.forEach((p) -> idps.put(authRequestPrefixUrl.replace("{registrationId}", p.getRegistrationId()),
+			StringBuilder authRequestQuery = new StringBuilder("?");
+			for (String authRequestQueryParam : authRequestQueryParams) {
+				authRequestQuery.append(authRequestQueryParam + "&");
+			}
+			authRequestQuery.deleteCharAt(authRequestQuery.length() - 1);
+			String authenticationRequestUriQuery = authRequestPrefixUrl + authRequestQuery;
+			repo.forEach((p) -> idps.put(authenticationRequestUriQuery.replace("{registrationId}", p.getRegistrationId()),
 					p.getRegistrationId()));
 		}
 		return idps;
@@ -437,4 +480,35 @@ private <C> void setSharedObject(B http, Class<C> clazz, C object) {
 		}
 	}
 
+	static class AntPathQueryRequestMatcher implements RequestMatcher {
+
+		private final RequestMatcher matcher;
+
+		AntPathQueryRequestMatcher(String path, String... params) {
+			List<RequestMatcher> matchers = new ArrayList<>();
+			matchers.add(new AntPathRequestMatcher(path));
+			for (String param : params) {
+				String[] parts = param.split("=");
+				if (parts.length == 1) {
+					matchers.add(new ParameterRequestMatcher(parts[0]));
+				}
+				else {
+					matchers.add(new ParameterRequestMatcher(parts[0], parts[1]));
+				}
+			}
+			this.matcher = new AndRequestMatcher(matchers);
+		}
+
+		@Override
+		public boolean matches(HttpServletRequest request) {
+			return matcher(request).isMatch();
+		}
+
+		@Override
+		public MatchResult matcher(HttpServletRequest request) {
+			return this.matcher.matcher(request);
+		}
+
+	}
+
 }
diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/Saml2Dsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/Saml2Dsl.kt
@@ -55,6 +55,8 @@ class Saml2Dsl {
     var permitAll: Boolean? = null
     var authenticationManager: AuthenticationManager? = null
 
+    private var authenticationRequestUri: String? = null
+    private var authenticationRequestQuery: Array<out String> = emptyArray()
     private var defaultSuccessUrlOption: Pair<String, Boolean>? = null
 
     /**
@@ -65,6 +67,11 @@ class Saml2Dsl {
         permitAll = true
     }
 
+    fun authenticationRequestUri(uri: String, vararg query: String) {
+        authenticationRequestUri = uri
+        authenticationRequestQuery = query
+    }
+
     /**
      * Specifies where users will be redirected after authenticating successfully if
      * they have not visited a secured page prior to authenticating or [alwaysUse]
@@ -88,6 +95,9 @@ class Saml2Dsl {
             defaultSuccessUrlOption?.also {
                 saml2Login.defaultSuccessUrl(defaultSuccessUrlOption!!.first, defaultSuccessUrlOption!!.second)
             }
+            authenticationRequestUri?.also {
+                saml2Login.authenticationRequestUri(authenticationRequestUri, *authenticationRequestQuery)
+            }
             authenticationSuccessHandler?.also { saml2Login.successHandler(authenticationSuccessHandler) }
             authenticationFailureHandler?.also { saml2Login.failureHandler(authenticationFailureHandler) }
             authenticationManager?.also { saml2Login.authenticationManager(authenticationManager) }
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurerTests.java
@@ -343,6 +343,19 @@ public void authenticationRequestWhenCustomAuthenticationRequestUriRepositoryThe
 				any(HttpServletRequest.class), any(HttpServletResponse.class));
 	}
 
+	@Test
+	public void authenticationRequestWhenCustomAuthenticationRequestPathRepositoryThenUses() throws Exception {
+		this.spring.register(CustomAuthenticationRequestUriQuery.class).autowire();
+		MockHttpServletRequestBuilder request = get("/custom/auth/sso");
+		this.mvc.perform(request)
+			.andExpect(status().isFound())
+			.andExpect(redirectedUrl("http://localhost/custom/auth/sso?entityId=simplesamlphp"));
+		request = request.queryParam("entityId", registration.getRegistrationId());
+		MvcResult result = this.mvc.perform(request).andExpect(status().isFound()).andReturn();
+		String redirectedUrl = result.getResponse().getRedirectedUrl();
+		assertThat(redirectedUrl).startsWith(registration.getAssertingPartyDetails().getSingleSignOnServiceLocation());
+	}
+
 	@Test
 	public void saml2LoginWhenLoginProcessingUrlWithoutRegistrationIdAndDefaultAuthenticationConverterThenAutowires()
 			throws Exception {
@@ -669,6 +682,23 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 
 	}
 
+	@Configuration
+	@EnableWebSecurity
+	@Import(Saml2LoginConfigBeans.class)
+	static class CustomAuthenticationRequestUriQuery {
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+					.authorizeHttpRequests((authz) -> authz.anyRequest().authenticated())
+					.saml2Login((saml2) -> saml2.authenticationRequestUri("/custom/auth/sso", "entityId={registrationId}"));
+			// @formatter:on
+			return http.build();
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	@Import(Saml2LoginConfigBeans.class)
diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/Saml2DslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/Saml2DslTests.kt
@@ -43,11 +43,13 @@ import org.springframework.security.saml2.provider.service.registration.TestRely
 import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter
 import org.springframework.security.web.SecurityFilterChain
 import org.springframework.test.web.servlet.MockMvc
+import org.springframework.test.web.servlet.MvcResult
 import org.springframework.test.web.servlet.get
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers
 import java.security.cert.Certificate
 import java.security.cert.CertificateFactory
-import java.util.Base64
+import java.util.*
 
 /**
  * Tests for [Saml2Dsl]
@@ -136,6 +138,23 @@ class Saml2DslTests {
         verify(exactly = 1) { Saml2LoginCustomAuthenticationManagerConfig.AUTHENTICATION_MANAGER.authenticate(any()) }
     }
 
+    @Test
+    @Throws(Exception::class)
+    fun authenticationRequestWhenCustomAuthenticationRequestPathRepositoryThenUses() {
+        this.spring.register(CustomAuthenticationRequestUriQuery::class.java).autowire()
+        var registration = TestRelyingPartyRegistrations.relyingPartyRegistration().build();
+        var request = MockMvcRequestBuilders.get("/custom/auth/sso")
+        this.mockMvc.perform(request)
+            .andExpect(MockMvcResultMatchers.status().isFound())
+            .andExpect(MockMvcResultMatchers.redirectedUrl("http://localhost/custom/auth/sso?entityId=simplesamlphp"))
+        request = request.queryParam("entityId", registration.registrationId)
+        val result: MvcResult =
+            this.mockMvc.perform(request).andExpect(MockMvcResultMatchers.status().isFound()).andReturn()
+        val redirectedUrl = result.response.redirectedUrl
+        Assertions.assertThat(redirectedUrl)
+            .startsWith(registration.assertingPartyDetails.singleSignOnServiceLocation)
+    }
+
     @Configuration
     @EnableWebSecurity
     open class Saml2LoginCustomAuthenticationManagerConfig {
@@ -162,4 +181,26 @@ class Saml2DslTests {
             return repository
         }
     }
+
+    @Configuration
+    @EnableWebSecurity
+    open class CustomAuthenticationRequestUriQuery {
+        @Bean
+        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+            http {
+                authorizeHttpRequests {
+                    authorize(anyRequest, authenticated)
+                }
+                saml2Login {
+                    authenticationRequestUri("/custom/auth/sso", "entityId={registrationId}")
+                }
+            }
+            return http.build()
+        }
+
+        @Bean
+        open fun relyingPartyRegistrationRepository(): RelyingPartyRegistrationRepository? {
+            return InMemoryRelyingPartyRegistrationRepository(TestRelyingPartyRegistrations.relyingPartyRegistration().build())
+        }
+    }
 }
diff --git a/docs/modules/ROOT/pages/servlet/saml2/login/authentication-requests.adoc b/docs/modules/ROOT/pages/servlet/saml2/login/authentication-requests.adoc
@@ -12,6 +12,42 @@ For example, if you were deployed to `https://rp.example.com` and you gave your
 
 and the result would be a redirect that included a `SAMLRequest` parameter containing the signed, deflated, and encoded `<saml2:AuthnRequest>`.
 
+== Configuring the `<saml2:AuthnRequest>` Endpoint
+
+To configure the endpoint differently from the `+/saml2/authenticate/{registrationId}+` default, you can set the value in `saml2Login`:
+
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+@Bean
+SecurityFilterChain filterChain(HttpSecurity http) {
+	http
+        .saml2Login((saml2) -> saml2
+            .authenticationRequestUri("/custom/auth/sso", "registrationId={registrationId}")
+        );
+	return new CustomSaml2AuthenticationRequestRepository();
+}
+----
+
+Kotlin::
++
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun filterChain(http: HttpSecurity): SecurityFilterChain {
+    http {
+        saml2Login {
+            authenticationRequestUri("/custom/auth/sso", "registrationId={registrationId}")
+        }
+    }
+    return CustomSaml2AuthenticationRequestRepository()
+}
+----
+======
+
 [[servlet-saml2login-store-authn-request]]
 == Changing How the `<saml2:AuthnRequest>` Gets Stored
 
