Add SAML 2.0 Login and Logout XML Support

config/src/main/java/org/springframework/security/config/Elements.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -138,4 +138,10 @@ public abstract class Elements {
 
 	public static final String PASSWORD_MANAGEMENT = "password-management";
 
+	public static final String RELYING_PARTY_REGISTRATIONS = "relying-party-registrations";
+
+	public static final String SAML2_LOGIN = "saml2-login";
+
+	public static final String SAML2_LOGOUT = "saml2-logout";
+
 }

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2009-2020 the original author or authors.
+ * Copyright 2009-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,6 +47,7 @@
 import org.springframework.security.config.method.MethodSecurityBeanDefinitionParser;
 import org.springframework.security.config.method.MethodSecurityMetadataSourceBeanDefinitionParser;
 import org.springframework.security.config.oauth2.client.ClientRegistrationsBeanDefinitionParser;
+import org.springframework.security.config.saml2.RelyingPartyRegistrationsBeanDefinitionParser;
 import org.springframework.security.config.websocket.WebSocketMessageBrokerSecurityBeanDefinitionParser;
 import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.ClassUtils;
@@ -190,6 +191,7 @@ private void loadWebParsers() {
 		this.parsers.put(Elements.FILTER_CHAIN, new FilterChainBeanDefinitionParser());
 		this.filterChainMapBDD = new FilterChainMapBeanDefinitionDecorator();
 		this.parsers.put(Elements.CLIENT_REGISTRATIONS, new ClientRegistrationsBeanDefinitionParser());
+		this.parsers.put(Elements.RELYING_PARTY_REGISTRATIONS, new RelyingPartyRegistrationsBeanDefinitionParser());
 	}
 
 	private void loadWebSocketParsers() {

config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -164,6 +164,8 @@ final class AuthenticationConfigBuilder {
 	@SuppressWarnings("rawtypes")
 	private ManagedList logoutHandlers;
 
+	private BeanMetadataElement logoutSuccessHandler;
+
 	private BeanDefinition loginPageGenerationFilter;
 
 	private BeanDefinition logoutPageGenerationFilter;
@@ -202,6 +204,20 @@ final class AuthenticationConfigBuilder {
 
 	private BeanDefinition oauth2LoginLinks;
 
+	private BeanDefinition saml2AuthenticationUrlToProviderName;
+
+	private BeanDefinition saml2AuthorizationRequestFilter;
+
+	private String saml2AuthenticationFilterId;
+
+	private String saml2AuthenticationRequestFilterId;
+
+	private String saml2LogoutFilterId;
+
+	private String saml2LogoutRequestFilterId;
+
+	private String saml2LogoutResponseFilterId;
+
 	private boolean oauth2ClientEnabled;
 
 	private BeanDefinition authorizationRequestRedirectFilter;
@@ -238,9 +254,11 @@ final class AuthenticationConfigBuilder {
 		createFormLoginFilter(sessionStrategy, authenticationManager);
 		createOAuth2ClientFilters(sessionStrategy, requestCache, authenticationManager);
 		createOpenIDLoginFilter(sessionStrategy, authenticationManager);
+		createSaml2LoginFilter(authenticationManager);
 		createX509Filter(authenticationManager);
 		createJeeFilter(authenticationManager);
 		createLogoutFilter();
+		createSaml2LogoutFilter();
 		createLoginPageFilterIfNeeded();
 		createUserDetailsServiceFactory();
 		createExceptionTranslationFilter();
@@ -412,6 +430,29 @@ void createOpenIDLoginFilter(BeanReference sessionStrategy, BeanReference authMa
 		}
 	}
 
+	private void createSaml2LoginFilter(BeanReference authenticationManager) {
+		Element saml2LoginElt = DomUtils.getChildElementByTagName(this.httpElt, Elements.SAML2_LOGIN);
+		if (saml2LoginElt == null) {
+			return;
+		}
+		Saml2LoginBeanDefinitionParser parser = new Saml2LoginBeanDefinitionParser(this.csrfIgnoreRequestMatchers,
+				this.portMapper, this.portResolver, this.requestCache, this.allowSessionCreation, authenticationManager,
+				this.authenticationProviders, this.defaultEntryPointMappings);
+		BeanDefinition saml2WebSsoAuthenticationFilter = parser.parse(saml2LoginElt, this.pc);
+		this.saml2AuthorizationRequestFilter = parser.getSaml2WebSsoAuthenticationRequestFilter();
+
+		this.saml2AuthenticationFilterId = this.pc.getReaderContext().generateBeanName(saml2WebSsoAuthenticationFilter);
+		this.saml2AuthenticationRequestFilterId = this.pc.getReaderContext()
+				.generateBeanName(this.saml2AuthorizationRequestFilter);
+		this.saml2AuthenticationUrlToProviderName = parser.getSaml2AuthenticationUrlToProviderName();
+
+		// register the component
+		this.pc.registerBeanComponent(
+				new BeanComponentDefinition(saml2WebSsoAuthenticationFilter, this.saml2AuthenticationFilterId));
+		this.pc.registerBeanComponent(new BeanComponentDefinition(this.saml2AuthorizationRequestFilter,
+				this.saml2AuthenticationRequestFilterId));
+	}
+
 	/**
 	 * Parses OpenID 1.0 and 2.0 - related parts of configuration xmls
 	 * @param sessionStrategy sessionStrategy
@@ -666,6 +707,12 @@ void createLoginPageFilterIfNeeded() {
 				loginPageFilter.addPropertyValue("Oauth2LoginEnabled", true);
 				loginPageFilter.addPropertyValue("Oauth2AuthenticationUrlToClientName", this.oauth2LoginLinks);
 			}
+			if (this.saml2AuthenticationFilterId != null) {
+				loginPageFilter.addConstructorArgReference(this.saml2AuthenticationFilterId);
+				loginPageFilter.addPropertyValue("saml2LoginEnabled", true);
+				loginPageFilter.addPropertyValue("saml2AuthenticationUrlToProviderName",
+						this.saml2AuthenticationUrlToProviderName);
+			}
 			this.loginPageGenerationFilter = loginPageFilter.getBeanDefinition();
 			this.logoutPageGenerationFilter = logoutPageFilter.getBeanDefinition();
 		}
@@ -682,9 +729,33 @@ void createLogoutFilter() {
 					this.rememberMeServicesId, this.csrfLogoutHandler);
 			this.logoutFilter = logoutParser.parse(logoutElt, this.pc);
 			this.logoutHandlers = logoutParser.getLogoutHandlers();
+			this.logoutSuccessHandler = logoutParser.getLogoutSuccessHandler();
 		}
 	}
 
+	private void createSaml2LogoutFilter() {
+		Element saml2LogoutElt = DomUtils.getChildElementByTagName(this.httpElt, Elements.SAML2_LOGOUT);
+		if (saml2LogoutElt == null) {
+			return;
+		}
+		Saml2LogoutBeanDefinitionParser parser = new Saml2LogoutBeanDefinitionParser(this.logoutHandlers,
+				this.logoutSuccessHandler);
+		parser.parse(saml2LogoutElt, this.pc);
+		BeanDefinition saml2LogoutFilter = parser.getLogoutFilter();
+		BeanDefinition saml2LogoutRequestFilter = parser.getLogoutRequestFilter();
+		BeanDefinition saml2LogoutResponseFilter = parser.getLogoutResponseFilter();
+		this.saml2LogoutFilterId = this.pc.getReaderContext().generateBeanName(saml2LogoutFilter);
+		this.saml2LogoutRequestFilterId = this.pc.getReaderContext().generateBeanName(saml2LogoutRequestFilter);
+		this.saml2LogoutResponseFilterId = this.pc.getReaderContext().generateBeanName(saml2LogoutResponseFilter);
+
+		// register the component
+		this.pc.registerBeanComponent(new BeanComponentDefinition(saml2LogoutFilter, this.saml2LogoutFilterId));
+		this.pc.registerBeanComponent(
+				new BeanComponentDefinition(saml2LogoutRequestFilter, this.saml2LogoutRequestFilterId));
+		this.pc.registerBeanComponent(
+				new BeanComponentDefinition(saml2LogoutResponseFilter, this.saml2LogoutResponseFilterId));
+	}
+
 	@SuppressWarnings({ "rawtypes", "unchecked" })
 	ManagedList getLogoutHandlers() {
 		if (this.logoutHandlers == null && this.rememberMeProviderRef != null) {
@@ -840,7 +911,8 @@ private BeanMetadataElement selectEntryPoint() {
 			if (formLoginElt != null && this.oauth2LoginEntryPoint != null) {
 				return this.formEntryPoint;
 			}
-			// If form login was enabled through auto-config, and Oauth2 login was not
+			// If form login was enabled through auto-config, and Oauth2 login & Saml2
+			// login was not
 			// enabled then use form login
 			if (this.oauth2LoginEntryPoint == null) {
 				return this.formEntryPoint;
@@ -923,6 +995,20 @@ List<OrderDecorator> getFilters() {
 			filters.add(new OrderDecorator(this.authorizationCodeGrantFilter,
 					SecurityFilters.OAUTH2_AUTHORIZATION_CODE_GRANT_FILTER));
 		}
+		if (this.saml2AuthenticationFilterId != null) {
+			filters.add(new OrderDecorator(new RuntimeBeanReference(this.saml2AuthenticationFilterId),
+					SecurityFilters.SAML2_AUTHENTICATION_FILTER));
+			filters.add(new OrderDecorator(new RuntimeBeanReference(this.saml2AuthenticationRequestFilterId),
+					SecurityFilters.SAML2_AUTHENTICATION_REQUEST_FILTER));
+		}
+		if (this.saml2LogoutFilterId != null) {
+			filters.add(new OrderDecorator(new RuntimeBeanReference(this.saml2LogoutFilterId),
+					SecurityFilters.SAML2_LOGOUT_FILTER));
+			filters.add(new OrderDecorator(new RuntimeBeanReference(this.saml2LogoutRequestFilterId),
+					SecurityFilters.SAML2_LOGOUT_REQUEST_FILTER));
+			filters.add(new OrderDecorator(new RuntimeBeanReference(this.saml2LogoutResponseFilterId),
+					SecurityFilters.SAML2_LOGOUT_RESPONSE_FILTER));
+		}
 		filters.add(new OrderDecorator(this.etf, SecurityFilters.EXCEPTION_TRANSLATION_FILTER));
 		return filters;
 	}

config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java

@@ -59,6 +59,8 @@ class LogoutBeanDefinitionParser implements BeanDefinitionParser {
 
 	private boolean csrfEnabled;
 
+	private BeanMetadataElement logoutSuccessHandler;
+
 	LogoutBeanDefinitionParser(String loginPageUrl, String rememberMeServices, BeanMetadataElement csrfLogoutHandler) {
 		this.defaultLogoutUrl = loginPageUrl + "?logout";
 		this.rememberMeServices = rememberMeServices;
@@ -98,6 +100,7 @@ public BeanDefinition parse(Element element, ParserContext pc) {
 						pc.extractSource(element));
 			}
 			builder.addConstructorArgReference(successHandlerRef);
+			this.logoutSuccessHandler = new RuntimeBeanReference(successHandlerRef);
 		}
 		else {
 			// Use the logout URL if no handler set
@@ -137,4 +140,8 @@ ManagedList<BeanMetadataElement> getLogoutHandlers() {
 		return this.logoutHandlers;
 	}
 
+	BeanMetadataElement getLogoutSuccessHandler() {
+		return this.logoutSuccessHandler;
+	}
+
 }