Spring Security XML namespace with saml2-login configuration fails using Java 8 and spring-security 5.8

Describe the bug XML namespace with saml2-login configuration fails using Java 8 and spring-security 5.8.1:

"java.lang.UnsupportedClassVersionError: org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0"

With Spring Security 5.7.x it worked because the OpenSaml4* classes were compiled to Java 8 bytecode.

The problem is in these classes: org.springframework.security.config.http.Saml2LoginBeanDefinitionParserUtils org.springframework.security.config.http.Saml2LogoutBeanDefinitionParserUtils

They do not check the OpenSaml version like other spring-security classes that use OpenSaml4* classes, e.g.

static BeanDefinition createAuthenticationProvider() {
    return BeanDefinitionBuilder.rootBeanDefinition(
            "org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider")
            .getBeanDefinition();
}

To Reproduce Use XML namespace with saml2-login configuration, Java 8 and spring-security 5.8.x.

Expected behavior XML Namespace with saml2-login configuration should work using Java 8, OpenSaml 3 and spring-security 5.8

Comment From: jzheaux

Thanks, @MichaelVetter, we'll take a look at making this change in the next point release.

Comment From: MichaelVetter

Compilation to Java 8 bytecode would be the preferred solution because under certain conditions Websphere complains about classes with newer bytecode.