Spring Security SAML2 provider 5.6.0 + Open 4.0.0 in maven got NoSuchMethodError

Describe the bug

Some of methods seem to not match the method signature in two libs in maven.

To Reproduce

Set versions in your pom.xml or other way to

• spring-security-saml2-service-provider -> 5.6.0
• opensaml4 -> all to 4.0.1 (latest version in maven)

Then got the error down below.

If I change opensaml4 to 4.1.1 by compiling locally, it pass.

Expected behavior

The newer version of Opensaml4 hasn't been released in maven yet. So spring-security-saml2-service-provider in maven would need to keep the dependency of opensaml 4 in maven until newer release.

Sample

java.lang.NoSuchMethodError: 'void org.opensaml.saml.saml2.assertion.SAML20AssertionValidator.<init>(java.util.Collection, java.util.Collection, java.util.Collection, org.opensaml.saml.saml2.assertion.AssertionValidator, org.opensaml.xmlsec.signature.support.SignatureTrustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator)'

    at org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider$SAML20AssertionValidators$3.<init>(OpenSaml4AuthenticationProvider.java:732)

Comment From: marcusdacoregio

Hi @fr2lancer, thanks for reaching out.

The opensaml artifacts are published in https://build.shibboleth.net/nexus/content/repositories/releases/. You can check one of our samples using it.

So, to use the latest release you should add the repository to your pom.xml.

Comment From: kapil00

When will the new versions be released to central maven ?

Comment From: marcusdacoregio

Hi @kapil00, I think this question is better suited for the OpenSAML team.

Comment From: jzheaux

The OpenSAML team has commented on using Maven Central in the past.

Comment From: fisco-unimatic

The pom for spring-security-saml2-service-provider 5.7.3 says that it depends on opensaml-saml-api 3.4.6, but 3.4.6 has the 5-arg constructor and 5.7.3 tries to invoke a 6-arg constructor. I don't understand how it could have compiled.

Comment From: marcusdacoregio

That's because we currently support both OpenSAML3 and OpenSAML4. Starting from Spring Security 6, OpenSAML3 won't be supported. See #10556

Comment From: akhil-lm

Hi @marcusdacoregio I tried connecting to the shibboleth repository, but somehow, my local setup is not able to connect with it. My build.gradle configurations :-

repositories {
        maven {
            credentials {
                username MAVEN_REPO_USERNAME
                password MAVEN_REPO_PASSWORD
            }
            url REPOSITORRY_URL
        }

        maven {
            url 'https://plugins.gradle.org/m2/'
        }
        maven {
            url "https://build.shibboleth.net/nexus/content/repositories/releases/"
        }
    }

The error I keep on getting is :-

Could not find org.opensaml:opensaml-saml-impl:4.2.0.
Searched in the following locations:

The 'following locations' doesn't have the shibboleth nexus url listed.

Could you please help with why my application doesn't search for the Opensaml 4 artifact in the Shibboleth repository, and is not able to even connect with the repository?

Comment From: marcusdacoregio

Hi @akhil-lm.

Can you share your whole build.gradle and related files? Did you sync the Gradle settings after changing them?

Comment From: akhil-lm

Hi @marcusdacoregio, Thanks for your reply. In my build.gradle, I had two repositories{} body, one under buildscript{} and one outside it. Both the repositories{} looked identical.

I was placing my shibboleth repository inside the repositories{} in the buildscript{}. Once I moved the shibboleth repository declaration to the other 'repositories{}' outside the buildscript{} body, I was able to connect with it.