spring-projects · mhalbritter · Apr 14, 2022
diff --git a/...t/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java b/...t/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java
@@ -136,8 +136,21 @@ void backOffIfOAuth2ResourceServerAutoConfigurationPresent() {
 	void backOffIfSaml2RelyingPartyAutoConfigurationPresent() {
 		this.contextRunner.withConfiguration(AutoConfigurations.of(Saml2RelyingPartyAutoConfiguration.class))
 				.withPropertyValues(
-						"spring.security.saml2.relyingparty.registration.simplesamlphp.identity-provider.single-sign-on.url=https://simplesaml-for-spring-saml/SSOService.php",
-						"spring.security.saml2.relyingparty.registration.simplesamlphp.identity-provider.single-sign-on.sign-request=false",
+						"spring.security.saml2.relyingparty.registration.simplesamlphp.asserting-party.single-sign-on.url=https://simplesaml-for-spring-saml/SSOService.php",
+						"spring.security.saml2.relyingparty.registration.simplesamlphp.asserting-party.single-sign-on.sign-request=false",
+						"spring.security.saml2.relyingparty.registration.simplesamlphp.asserting-party.entity-id=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php",
+						"spring.security.saml2.relyingparty.registration.simplesamlphp.asserting-party.verification.credentials[0].certificate-location=classpath:saml/certificate-location")
+				.run((context) -> assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class)
+						.doesNotHaveBean(MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN));
+	}
+
+	@Test
+	@Deprecated
+	void backOffIfSaml2RelyingPartyAutoConfigurationPresentDeprecated() {
+		this.contextRunner.withConfiguration(AutoConfigurations.of(Saml2RelyingPartyAutoConfiguration.class))
+				.withPropertyValues(
+						"spring.security.saml2.relyingparty.registration.simplesamlphp.identityprovider.single-sign-on.url=https://simplesaml-for-spring-saml/SSOService.php",
+						"spring.security.saml2.relyingparty.registration.simplesamlphp.identityprovider.single-sign-on.sign-request=false",
 						"spring.security.saml2.relyingparty.registration.simplesamlphp.identityprovider.entity-id=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php",
 						"spring.security.saml2.relyingparty.registration.simplesamlphp.identityprovider.verification.credentials[0].certificate-location=classpath:saml/certificate-location")
 				.run((context) -> assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class)

diff --git a/...va/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java b/...va/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -67,7 +67,14 @@ public static class Registration {
 		/**
 		 * Remote SAML Identity Provider.
 		 */
-		private final Identityprovider identityprovider = new Identityprovider();
+		private final AssertingParty assertingParty = new AssertingParty();
+
+		/**
+		 * Remote SAML Identity Provider.
+		 * @deprecated use {@link #assertingParty}
+		 */
+		@Deprecated
+		private final AssertingParty identityprovider = new AssertingParty();
 
 		public String getEntityId() {
 			return this.entityId;
@@ -89,7 +96,17 @@ public Decryption getDecryption() {
 			return this.decryption;
 		}
 
-		public Identityprovider getIdentityprovider() {
+		public AssertingParty getAssertingParty() {
+			return this.assertingParty;
+		}
+
+		/**
+		 * Remote SAML Identity Provider.
+		 * @return remote SAML Identity Provider
+		 * @deprecated use {@link #getAssertingParty()}
+		 */
+		@Deprecated
+		public AssertingParty getIdentityprovider() {
 			return this.identityprovider;
 		}
 
@@ -224,7 +241,7 @@ public void setCertificateLocation(Resource certificate) {
 	/**
 	 * Represents a remote Identity Provider.
 	 */
-	public static class Identityprovider {
+	public static class AssertingParty {
 
 		/**
 		 * Unique identifier for the identity provider.
@@ -282,7 +299,7 @@ public static class Singlesignon {
 			/**
 			 * Whether to sign authentication requests.
 			 */
-			private boolean signRequest = true;
+			private Boolean signRequest;
 
 			public String getUrl() {
 				return this.url;
@@ -304,7 +321,11 @@ public boolean isSignRequest() {
 				return this.signRequest;
 			}
 
-			public void setSignRequest(boolean signRequest) {
+			public Boolean getSignRequest() {
+				return this.signRequest;
+			}
+
+			public void setSignRequest(Boolean signRequest) {
 				this.signRequest = signRequest;
 			}
 

diff --git a/...amework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java b/...amework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,11 +23,16 @@
 import java.util.List;
 import java.util.Map;
 import java.util.function.Consumer;
+import java.util.function.Function;
 import java.util.stream.Collectors;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.AssertingParty;
+import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.AssertingParty.Verification;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.Decryption;
-import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.Identityprovider.Verification;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.Registration;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyProperties.Registration.Signing;
 import org.springframework.boot.context.properties.PropertyMapper;
@@ -59,6 +64,8 @@
 @ConditionalOnMissingBean(RelyingPartyRegistrationRepository.class)
 class Saml2RelyingPartyRegistrationConfiguration {
 
+	private static final Log logger = LogFactory.getLog(Saml2RelyingPartyRegistrationConfiguration.class);
+
 	@Bean
 	RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(Saml2RelyingPartyProperties properties) {
 		List<RelyingPartyRegistration> registrations = properties.getRegistration().entrySet().stream()
@@ -71,19 +78,21 @@ private RelyingPartyRegistration asRegistration(Map.Entry<String, Registration>
 	}
 
 	private RelyingPartyRegistration asRegistration(String id, Registration properties) {
-		boolean usingMetadata = StringUtils.hasText(properties.getIdentityprovider().getMetadataUri());
+		boolean usingMetadata = StringUtils
+				.hasText(getFromAssertingParty(properties, id, "metadata-uri", AssertingParty::getMetadataUri));
 		Builder builder = (usingMetadata) ? RelyingPartyRegistrations
-				.fromMetadataLocation(properties.getIdentityprovider().getMetadataUri()).registrationId(id)
-				: RelyingPartyRegistration.withRegistrationId(id);
+				.fromMetadataLocation(
+						getFromAssertingParty(properties, id, "metadata-uri", AssertingParty::getMetadataUri))
+				.registrationId(id) : RelyingPartyRegistration.withRegistrationId(id);
 		builder.assertionConsumerServiceLocation(properties.getAcs().getLocation());
 		builder.assertionConsumerServiceBinding(properties.getAcs().getBinding());
-		builder.assertingPartyDetails(mapIdentityProvider(properties, usingMetadata));
+		builder.assertingPartyDetails(mapAssertingParty(properties, id, usingMetadata));
 		builder.signingX509Credentials((credentials) -> properties.getSigning().getCredentials().stream()
 				.map(this::asSigningCredential).forEach(credentials::add));
 		builder.decryptionX509Credentials((credentials) -> properties.getDecryption().getCredentials().stream()
 				.map(this::asDecryptionCredential).forEach(credentials::add));
-		builder.assertingPartyDetails((details) -> details
-				.verificationX509Credentials((credentials) -> properties.getIdentityprovider().getVerification()
+		builder.assertingPartyDetails((details) -> details.verificationX509Credentials(
+				(credentials) -> getFromAssertingParty(properties, id, "verification", AssertingParty::getVerification)
 						.getCredentials().stream().map(this::asVerificationCredential).forEach(credentials::add)));
 		builder.entityId(properties.getEntityId());
 		RelyingPartyRegistration registration = builder.build();
@@ -92,16 +101,35 @@ private RelyingPartyRegistration asRegistration(String id, Registration properti
 		return registration;
 	}
 
-	private Consumer<AssertingPartyDetails.Builder> mapIdentityProvider(Registration properties,
+	@SuppressWarnings("deprecation")
+	private <T> T getFromAssertingParty(Registration registration, String id, String name,
+			Function<AssertingParty, T> getter) {
+		T newValue = getter.apply(registration.getAssertingParty());
+		if (newValue != null) {
+			return newValue;
+		}
+		T deprecatedValue = getter.apply(registration.getIdentityprovider());
+		if (deprecatedValue != null) {
+			logger.warn(String.format(
+					"Property 'spring.security.saml2.relyingparty.registration.identityprovider.%1$s.%2$s' is deprecated, please use 'spring.security.saml2.relyingparty.registration.asserting-party.%1$s.%2$s' instead",
+					id, name));
+			return deprecatedValue;
+		}
+		return newValue;
+	}
+
+	private Consumer<AssertingPartyDetails.Builder> mapAssertingParty(Registration registration, String id,
 			boolean usingMetadata) {
 		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
-		Saml2RelyingPartyProperties.Identityprovider identityprovider = properties.getIdentityprovider();
 		return (details) -> {
-			map.from(identityprovider::getEntityId).to(details::entityId);
-			map.from(identityprovider.getSinglesignon()::getBinding).whenNonNull()
-					.to(details::singleSignOnServiceBinding);
-			map.from(identityprovider.getSinglesignon()::getUrl).to(details::singleSignOnServiceLocation);
-			map.from(identityprovider.getSinglesignon()::isSignRequest).when((signRequest) -> !usingMetadata)
+			map.from(() -> getFromAssertingParty(registration, id, "entity-id", AssertingParty::getEntityId))
+					.to(details::entityId);
+			map.from(() -> getFromAssertingParty(registration, id, "singlesignon.binding",
+					(property) -> property.getSinglesignon().getBinding())).to(details::singleSignOnServiceBinding);
+			map.from(() -> getFromAssertingParty(registration, id, "singlesignon.url",
+					(property) -> property.getSinglesignon().getUrl())).to(details::singleSignOnServiceLocation);
+			map.from(() -> getFromAssertingParty(registration, id, "singlesignon.sign-request",
+					(property) -> property.getSinglesignon().getSignRequest())).when((ignored) -> !usingMetadata)
 					.to(details::wantAuthnRequestsSigned);
 		};
 	}