make SAML authentication request uri configurable

houssemba · jzheaux · commit fc653bb81a16 · 2022-06-06T12:49:29.000-06:00
Closes gh-10840
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java
@@ -61,8 +61,6 @@ class OpenSamlAuthenticationRequestResolver {
 		OpenSamlInitializationService.initialize();
 	}
 
-	private final RequestMatcher requestMatcher = new AntPathRequestMatcher("/saml2/authenticate/{registrationId}");
-
 	private final RelyingPartyRegistrationResolver relyingPartyRegistrationResolver;
 
 	private final AuthnRequestBuilder authnRequestBuilder;
@@ -73,6 +71,8 @@ class OpenSamlAuthenticationRequestResolver {
 
 	private final NameIDBuilder nameIdBuilder;
 
+	private RequestMatcher requestMatcher = new AntPathRequestMatcher("/saml2/authenticate/{registrationId}");
+
 	private Converter<HttpServletRequest, String> relayStateResolver = (request) -> UUID.randomUUID().toString();
 
 	/**
@@ -101,6 +101,10 @@ void setRelayStateResolver(Converter<HttpServletRequest, String> relayStateResol
 		this.relayStateResolver = relayStateResolver;
 	}
 
+	void setRequestMatcher(RequestMatcher requestMatcher) {
+		this.requestMatcher = requestMatcher;
+	}
+
 	<T extends AbstractSaml2AuthenticationRequest> T resolve(HttpServletRequest request) {
 		return resolve(request, (registration, logoutRequest) -> {
 		});
diff --git a/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolver.java b/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolver.java
@@ -28,6 +28,7 @@
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
 /**
@@ -70,6 +71,19 @@ public void setAuthnRequestCustomizer(Consumer<AuthnRequestContext> contextConsu
 		this.contextConsumer = contextConsumer;
 	}
 
+	/**
+	 * Set the {@link RequestMatcher} to use for setting the
+	 * {@link OpenSamlAuthenticationRequestResolver#setRequestMatcher(RequestMatcher)}
+	 * (RequestMatcher)}
+	 * @param requestMatcher the {@link RequestMatcher} to identify authentication
+	 * requests.
+	 * @since 5.8
+	 */
+	public void setRequestMatcher(RequestMatcher requestMatcher) {
+		Assert.notNull(requestMatcher, "requestMatcher cannot be null");
+		this.authnRequestResolver.setRequestMatcher(requestMatcher);
+	}
+
 	/**
 	 * Use this {@link Clock} for generating the issued {@link Instant}
 	 * @param clock the {@link Clock} to use
diff --git a/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolverTests.java b/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSaml4AuthenticationRequestResolverTests.java
@@ -29,6 +29,7 @@
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
@@ -44,8 +45,7 @@ public class OpenSaml4AuthenticationRequestResolverTests {
 
 	@BeforeEach
 	void setup() {
-		this.request = new MockHttpServletRequest();
-		this.request.setServletPath("/saml2/authenticate/registration-id");
+		this.request = givenRequest("/saml2/authenticate/registration-id");
 		this.registration = TestRelyingPartyRegistrations.full().build();
 	}
 
@@ -86,4 +86,25 @@ void resolveWhenCustomRelayStateThenUses() {
 		verify(relayState).convert(any());
 	}
 
+	@Test
+	void resolveWhenCustomAuthenticationUrlTHenUses() {
+		RelyingPartyRegistrationResolver relyingParties = mock(RelyingPartyRegistrationResolver.class);
+		given(relyingParties.resolve(any(), any())).willReturn(this.registration);
+		OpenSaml4AuthenticationRequestResolver resolver = new OpenSaml4AuthenticationRequestResolver(relyingParties);
+		resolver.setRequestMatcher(new AntPathRequestMatcher("/custom/authentication/{registrationId}"));
+		Saml2RedirectAuthenticationRequest authnRequest = resolver
+				.resolve(givenRequest("/custom/authentication/registration-id"));
+
+		assertThat(authnRequest.getBinding()).isEqualTo(Saml2MessageBinding.REDIRECT);
+		assertThat(authnRequest.getAuthenticationRequestUri())
+				.isEqualTo(this.registration.getAssertingPartyDetails().getSingleSignOnServiceLocation());
+
+	}
+
+	private MockHttpServletRequest givenRequest(String path) {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setServletPath(path);
+		return request;
+	}
+
 }
