Spring Security Saml2Utils Base64.getMimeDecoder() instead of private static Base64.Decoder DECODER = Base64.getDecoder();

Summary

Hello Filip Hanik, hello Spring Security Team,

The current utility class:

final class Saml2Utils {

    private static final char PATH_DELIMITER = '/';
    private static Base64.Encoder ENCODER = Base64.getEncoder();
    private static Base64.Decoder DECODER = Base64.getDecoder();

Uses .getDecoder(); The decoder should be able to use Base64.getMimeDecoder() as well, or it can results in error.

For instance, once the SAML identity provider respond with the b64 format of an xml, the current DECODER will results in

java.lang.IllegalArgumentException: Illegal base64 character d
    at java.base/java.util.Base64$Decoder.decode0(Base64.java:743)
    at java.base/java.util.Base64$Decoder.decode(Base64.java:535)
    at java.base/java.util.Base64$Decoder.decode(Base64.java:558)
    at org.springframework.security.saml2.provider.service.servlet.filter.Saml2Utils.decode(Saml2Utils.java:55)
    at 

As the same b64 with Mimedecode will successfully decode it.

I even wrote an example on my local where I take the payload received from the wire, and just decode it with the current Util class. The error is reproducible.

While a local version of the utility class with Mime decode will succeed in having the correct payload, I even compared the decoded payload with the payload IDP generates, even before doing the decode.

I have the small test on my local, but I cannot share here as the IDP xml contains sensitive data.

Can you please kindly consider having a look at this utility class?

Thank you @fhanik (Also, your SAML talks on YouTube are awesome, I learned a lot from them, cheers)

Comment From: rwinch

Thanks for the report. I could see us updating Saml2WebSsoAuthenticationFilter to accept an AuthenticationConverter. The result of which would be passed into the AuthenticationManager. Is this something that you would be interested in submitting a PR for?

In the meantime, there is not a lot of logic in Saml2WebSsoAuthenticationFilter, so you can create your own Filter that extends AbstractAuthenticationProcessingFilter and customizes how the Saml2AuthenticationToken is created.