Skip to content

Commit c97b2aa

Browse files
jzheauxjzheaux
committed
Merge branch '6.1.x' into 6.2.x
Closes gh-14958
2 parents 664dfd9 + d88f2e5 commit c97b2aa

File tree

2 files changed

+17
-0
lines changed

2 files changed

+17
-0
lines changed

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java

+2
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,7 @@
5757
import org.opensaml.saml.saml2.assertion.impl.AudienceRestrictionConditionValidator;
5858
import org.opensaml.saml.saml2.assertion.impl.BearerSubjectConfirmationValidator;
5959
import org.opensaml.saml.saml2.assertion.impl.DelegationRestrictionConditionValidator;
60+
import org.opensaml.saml.saml2.assertion.impl.ProxyRestrictionConditionValidator;
6061
import org.opensaml.saml.saml2.core.Assertion;
6162
import org.opensaml.saml.saml2.core.Attribute;
6263
import org.opensaml.saml.saml2.core.AttributeStatement;
@@ -834,6 +835,7 @@ public ValidationResult validate(Condition condition, Assertion assertion, Valid
834835
return ValidationResult.VALID;
835836
}
836837
});
838+
conditions.add(new ProxyRestrictionConditionValidator());
837839
subjects.add(new BearerSubjectConfirmationValidator() {
838840
@Override
839841
protected ValidationResult validateAddress(SubjectConfirmation confirmation, Assertion assertion,

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java

+15
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@
5454
import org.opensaml.saml.saml2.core.Issuer;
5555
import org.opensaml.saml.saml2.core.NameID;
5656
import org.opensaml.saml.saml2.core.OneTimeUse;
57+
import org.opensaml.saml.saml2.core.ProxyRestriction;
5758
import org.opensaml.saml.saml2.core.Response;
5859
import org.opensaml.saml.saml2.core.Status;
5960
import org.opensaml.saml.saml2.core.StatusCode;
@@ -63,6 +64,7 @@
6364
import org.opensaml.saml.saml2.core.impl.EncryptedAssertionBuilder;
6465
import org.opensaml.saml.saml2.core.impl.EncryptedIDBuilder;
6566
import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
67+
import org.opensaml.saml.saml2.core.impl.ProxyRestrictionBuilder;
6668
import org.opensaml.saml.saml2.core.impl.StatusBuilder;
6769
import org.opensaml.saml.saml2.core.impl.StatusCodeBuilder;
6870
import org.opensaml.xmlsec.encryption.impl.EncryptedDataBuilder;
@@ -832,6 +834,19 @@ public void authenticateWhenAssertionIssuerNotValidThenFailsWithInvalidIssuer()
832834
.withMessageContaining("did not match any valid issuers");
833835
}
834836

837+
// gh-14931
838+
@Test
839+
public void authenticateWhenAssertionHasProxyRestrictionThenParses() {
840+
OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
841+
Response response = response();
842+
Assertion assertion = assertion();
843+
ProxyRestriction condition = new ProxyRestrictionBuilder().buildObject();
844+
assertion.getConditions().getConditions().add(condition);
845+
response.getAssertions().add(assertion);
846+
Saml2AuthenticationToken token = token(signed(response), verifying(registration()));
847+
provider.authenticate(token);
848+
}
849+
835850
private <T extends XMLObject> T build(QName qName) {
836851
return (T) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName);
837852
}

0 commit comments

Comments
 (0)