Concern spring-security 5.8.6, hadn't tested for 6.x
When using HttpSecurity.saml2Login to configure SAML for an application using spring-security, it's impossible to give or set the Saml2WebSsoAuthenticationFilter. The implementation of Saml2LoginConfigurer instantiate a new Saml2WebSsoAuthenticationFilter without taking in consideration the existence of a Saml2WebSsoAuthenticationFilter bean. This cause the creation of a Saml2WebSsoAuthenticationFilter instance, which is not configurable or usable, and then we (the user API) have to get by ourselves another Saml2WebSsoAuthenticationFilter bean instance to configure and add him to HttpSecurity filters list.
To Reproduce Considering a minimal configuration example:
@Bean
public SecurityFilterChain app(final HttpSecurity http,
final Saml2WebSsoAuthenticationRequestFilter saml2WebSsoAuthenticationRequestFilter,
final Saml2MetadataFilter saml2MetadataFilter,
final Saml2WebSsoAuthenticationFilter saml2WebSsoAuthenticationFilter,
final AuthenticationManager authenticationManager)
throws Exception {
http
.saml2Login(saml2 -> saml2.authenticationManager(authenticationManager))
.addFilter(saml2WebSsoAuthenticationRequestFilter)
.addFilter(saml2WebSsoAuthenticationFilter)
.addFilter(saml2MetadataFilter);
return http.build();
}
In this example, saml2Login() use internally a Saml2WebSsoAuthenticationFilter, but which is unusable and don't allow us to configure it. The implementation call new Saml2WebSsoAuthenticationFilter but should use an Autowired bean IMO.
Expected behavior Something like this may allow us to specify the implementation and configuration of the Saml2WebSsoAuthenticationFilter to use.
http
.saml2Login(saml2 -> saml2.authenticationManager(authenticationManager)
.setSaml2WebSsoAuthenticationFilter(saml2WebSsoAuthenticationRequestFilter))
.addFilter(saml2WebSsoAuthenticationRequestFilter)
.addFilter(saml2WebSsoAuthenticationFilter)
.addFilter(saml2MetadataFilter);
I'm not sure if this is a "bug" or just an enhencement because i have misunderstanding how Saml2LoginConfigurer use Saml2WebSsoAuthenticationFilter and what we should do with it. Feel free to say me if I'm wrong here!
Comment From: marcusdacoregio
Hi @Natlink. I don't follow clearly why you want to set your own filter, you can customize how SAML 2.0 Login works using the methods from saml2Login() DSL. If you want to set the properties directly into the filter, you can add an ObjectPostProcessor to do that:
.saml2Login((saml2) -> saml2.addObjectPostProcessor(new ObjectPostProcessor< Saml2WebSsoAuthenticationFilter>() {
@Override
public <O extends LogoutFilter> O postProcess(O filter) {
// customize what you want
return filter;
}
}));
Please take a look at the documentation for more configuration options.
Comment From: Natlink
Hello @marcusdacoregio
Thanks for your answer! I will try this.
But from what I have tested, calling saml2Login() DSL will not set the filter in the HttpSecurity object, it's an expected behavior?
To complete, I must call http.addFilter(saml2WebSsoAuthenticationFilter) to make it works as expected, so this force me to define my own Saml2WebSsoAuthenticationFilter bean, which is different from the DSL auto generated Saml2WebSsoAuthenticationFilter instance.
If i don't call http.addFilter(...), the endpoint /login/saml2/{registrationId} is unreachable, and when looking with debug traces logs, the filter is not in the list.
The minimal reproduction example is in the issue body ^^
Comment From: marcusdacoregio
I am not sure how you are debugging it, but it does add the filter to the SecurityFilterChain, see https://github.com/spring-projects/spring-security/blob/0d70a7f5082024b6a60008ff9023cefe4c227db2/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java#L289