Skip to content

Make class SimpleSaml2AuthenticatedPrincipal public #8852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JoakimLofgren opened this issue Jul 20, 2020 · 2 comments · Fixed by #8861
Closed

Make class SimpleSaml2AuthenticatedPrincipal public #8852

JoakimLofgren opened this issue Jul 20, 2020 · 2 comments · Fixed by #8861
Assignees
@JoakimLofgren @jzheaux
Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Milestone
5.4.0-RC1

Comments

@JoakimLofgren
Copy link
Contributor

Expected Behavior

We are able to serialize/deserialize the class Saml2Authentication and SimpleSaml2AuthenticatedPrincipal using an object mapper.

Current Behavior

We cannot whitelist SimpleSaml2AuthenticatedPrincipal as it is package private and the deserialization crashes.

Context

We are using spring-session-data-mongo to store the HttpSession in a mongo collection.
This approach uses a object mapper to convert it to JSON/BSON.

We can whitelist and fix the Saml2Authentication storage with the following kotlin snippets:

objectMapper.addMixIn(Saml2Authentication::class.java, Saml2AuthenticationMixin::class.java)

...

/**
 * Used to whitelist [Saml2Authentication] for [SecurityJackson2Modules].
 */
class Saml2AuthenticationMixin @JsonCreator constructor(
    @JsonProperty("principal") principal: AuthenticatedPrincipal,
    @JsonProperty("saml2Response") saml2Response: String,
    @JsonProperty("authorities") authorities: Collection<GrantedAuthority>
) : Saml2Authentication(principal, saml2Response, authorities) // Nothing special

But I cannot add the following mixin as the class is package private:

/**
 * Used to whitelist [SimpleSaml2AuthenticatedPrincipal] for [SecurityJackson2Modules].
 */
class SimpleSaml2AuthenticatedPrincipalMixin // Nothing special

This is the exception we get without being able to whitelist the class:

com.fasterxml.jackson.databind.JsonMappingException: The class with 
org.springframework.security.saml2.provider.service.authentication.SimpleSaml2AuthenticatedPrincipal and name of 
org.springframework.security.saml2.provider.service.authentication.SimpleSaml2AuthenticatedPrincipal is not whitelisted. If you 
believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If 
the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects
/spring-security/issues/4370 for details (through reference chain: 
org.springframework.session.data.mongo.MongoSession["attrs"]->
java.util.HashMap["SPRING_SECURITY_CONTEXT"]->
org.springframework.security.core.context.SecurityContextImpl["authentication"]->
org.springframework.security.saml2.provider.service.authentication.Saml2Authentication["principal"])

We have a workaround by using plain Java serialization using the Serializable interface and the Spring boot utils SerializationUtils.serialize() and SerializationUtils.deserialize().

E.g.:

/**
 * Used to whitelist [Saml2Authentication] for [SecurityJackson2Modules].
 */
@JsonDeserialize(using = SAMLAuthDeserializer::class)
@JsonSerialize(using = SAMLAuthSerializer::class)
class Saml2AuthenticationMixin

This approach works but is not ideal.
@JoakimLofgren JoakimLofgren added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jul 20, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Jul 20, 2020

@JoakimLofgren I think it was package-private while the name was under consideration.

Would you be able to submit a PR to change the class to be named DefaultSaml2AuthenticatedPrincipal (to match DefaultOAuth2AuthenticatedPrincipal) and make the class public?

@jzheaux jzheaux added in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 20, 2020
@jzheaux jzheaux added this to the 5.4.0-RC1 milestone Jul 20, 2020
@JoakimLofgren
Copy link
Contributor Author

Sure, I'll do it tomorrow.

@JoakimLofgren JoakimLofgren mentioned this issue Jul 21, 2020
Merged
JoakimLofgren added a commit to JoakimLofgren/spring-security that referenced this issue Jul 23, 2020
@JoakimLofgren
Update SimpleSaml2AuthenticatedPrincipal class name
0962459 
Rename it to DefaultSaml2AuthenticatedPrincipal to be more in line with
the respective class in the OAuth2 module.

Also make the class public to be able to whitelist the SAML2 auth classes
in Jackson object mappers for deserialization in e.g. Spring Session MongoDB.

Closes spring-projectsgh-8852
jzheaux pushed a commit that referenced this issue Jul 23, 2020
@JoakimLofgren @jzheaux
Update SimpleSaml2AuthenticatedPrincipal class name
eccd929 
Rename it to DefaultSaml2AuthenticatedPrincipal to be more in line with
the respective class in the OAuth2 module.

Also make the class public to be able to whitelist the SAML2 auth classes
in Jackson object mappers for deserialization in e.g. Spring Session MongoDB.

Closes gh-8852
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JoakimLofgren JoakimLofgren

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Projects
None yet
Milestone
5.4.0-RC1
Development

Successfully merging a pull request may close this issue.

Update SimpleSaml2AuthenticatedPrincipal class name JoakimLofgren/spring-security
2 participants
@JoakimLofgren @jzheaux