Login/Register
SAML Http Request Intercept with Spring Boot
Asked Answered
javaspring-mvcspring-bootspring-securitysaml-2.0
F

3

9

In reference to this SO question Add request parameter to SAML request using Spring Security SAML

I am wanting to replace the default HTTPRedirectDeflateBinding bean with my own that has a custom HTTPRedirectDeflateEncoder to add query params to my SAML request.

I'm trying to achieve this with the Spring Boot @Bean auto-configuration annotation and being new to the Java environment I can't seem to get it working right. I can see that my bean is registering on startup but the outbound HTTP request is not being intercepted by it and it appears the original redirectBinding still is.

Here is my bean I added into my Configuration class:

@Bean(name="redirectBinding")
@Primary
public HTTPRedirectDeflateBinding HTTPRedirectDeflateBinding() {
    return new HTTPRedirectDeflateBinding(null, new My_SAML_HttpRedirectDeflateEncoder());
}

Here is my encoder I'm trying to pass into the redirect binding

public class My_SAML_HttpRedirectDeflateEncoder extends HTTPRedirectDeflateEncoder {

    @Override
    protected String buildRedirectURL(SAMLMessageContext messagesContext, String endpointURL, String message)
            throws MessageEncodingException {
        URLBuilder urlBuilder = new URLBuilder(endpointURL);
        List<Pair<String, String>> queryParams = urlBuilder.getQueryParams();
        
        if (messagesContext.getOutboundSAMLMessage() instanceof RequestAbstractType) {
            queryParams.add(new Pair<String, String>("service", "myService"));
            queryParams.add(new Pair<String, String>("serviceType", "dev"));
        }
        
        return urlBuilder.buildURL();
    }
}

I also attempted the solution proposed from this SO response Spring Boot Adding Http Request Interceptors Similar results, my HandlerInterceptor bean was registered but nothing is being intercepted. I feel like I'm missing a small detail. Any help would be appreciated.

Federalist answered 31/1, 2018 at 21:42 Comment(0)
G
1

1.I think you need to use the super method buildRedirectURL and then add stripped or your custom query params, like this:

@Override
protected String buildRedirectURL(SAMLMessageContext messagesContext, String endpointURL, String message) throws MessageEncodingException {
    URLBuilder redirectUrlBuilder = new URLBuilder(super.buildRedirectURL(messagesContext, endpointURL, message));
    List<Pair<String, String>> queryParams = redirectUrlBuilder.getQueryParams();
    queryParams.addAll(new URLBuilder(endpointURL).getQueryParams());// add stripped query params
    return redirectUrlBuilder.buildURL();
}

2.I am not sure if it fine to pass the null to the HTTPRedirectDeflateBinding as decoder. Alternative would suggest to use the default decoder, which accepts ParserPool.

Guanaco answered 27/2, 2018 at 13:47 Comment(0)
M
1

I know this question is very old, but I struggled with this same exact issue. I'm adding the answer just in case it can help anyone else.

The httpRedirectDeflateBinding will get called only when GET binding is used. In my case we used POST binding for WebSSOProfileOptions. Our configuration looked like the following:

    @Bean
    WebSSOProfileOptions defaultWebSSOProfileOptions() {
        WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
        webSSOProfileOptions.setIncludeScoping(false);
        webSSOProfileOptions.setAllowCreate(true);
        webSSOProfileOptions.setNameID("");
        webSSOProfileOptions.setForceAuthN(true);
        //This line is for enabling POST request
        webSSOProfileOptions.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        return webSSOProfileOptions;
    }

In this case, the custom override should be for HTTPPostEncoder. Inject the custom class to HTTPPostBinding and the custom logic should get executed.

Medina answered 20/12, 2019 at 17:48 Comment(0)
S
0

You can redeclare the SAMLProcessor bean - which is used by SAMLProcessingFilter - and add your own binding bean in its bindings list. This is an example, I used in my project.

@Bean
public SAMLProcessorImpl processor() {
    Collection<SAMLBinding> bindings = new ArrayList<>();
    bindings.add(httpRedirectDeflateBinding());
    bindings.add(httpPostBinding());
    bindings.add(artifactBinding(parserPool(), velocityEngine()));
    bindings.add(httpSOAP11Binding());
    bindings.add(httpPAOS11Binding());

    return new SAMLProcessorImpl(bindings);
}

Hope it works for you.

Stormi answered 9/2, 2018 at 17:15 Comment(1)
I did that and put my extended redirect binding with my extended encoder in it's constructor and I can see from the debugger that it registers but my buildRedirectUrl isn't being reached. I marked my bean factory method with "@Bean", "@AutoConfigureOrder(Ordered.HIGHEST_PRECEDENCE)", and "@Primary" with no luckFederalist

© 2022 - 2024 — McMap. All rights reserved.