spring-projects
diff --git a/‎saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.java
+27-27 b/‎saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.java
+27-27
diff --git a/‎saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlImplementation.java
+31-35 b/‎saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlImplementation.java
+31-35
@@ -16,22 +16,22 @@
 
 package org.springframework.security.saml2.provider.service.authentication;
 
+import java.time.Clock;
+import java.time.Instant;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
 import org.joda.time.DateTime;
 import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.opensaml.saml.saml2.core.Issuer;
+
 import org.springframework.security.saml2.credentials.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest.Builder;
 import org.springframework.util.Assert;
 
-import java.time.Clock;
-import java.time.Instant;
-import java.util.List;
-import java.util.Map;
-import java.util.UUID;
-
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static java.util.Collections.emptyList;
 import static org.springframework.security.saml2.provider.service.authentication.Saml2Utils.samlDeflate;
 import static org.springframework.security.saml2.provider.service.authentication.Saml2Utils.samlEncode;
 
@@ -46,19 +46,21 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
 	@Override
 	@Deprecated
 	public String createAuthenticationRequest(Saml2AuthenticationRequest request) {
-		return createAuthenticationRequest(request, request.getCredentials());
+		AuthnRequest authnRequest = createAuthnRequest(request.getIssuer(),
+				request.getDestination(), request.getAssertionConsumerServiceUrl());
+		return this.saml.serialize(authnRequest, request.getCredentials());
 	}
 
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
 	public Saml2PostAuthenticationRequest createPostAuthenticationRequest(Saml2AuthenticationRequestContext context) {
-		List<Saml2X509Credential> signingCredentials = context.getRelyingPartyRegistration().getProviderDetails().isSignAuthNRequest() ?
-				context.getRelyingPartyRegistration().getSigningCredentials() :
-				emptyList();
+		AuthnRequest authnRequest = createAuthnRequest(context);
+		String xml = context.getRelyingPartyRegistration().getProviderDetails().isSignAuthNRequest() ?
+			this.saml.serialize(authnRequest, context.getRelyingPartyRegistration().getSigningCredentials()) :
+			this.saml.serialize(authnRequest);
 
-		String xml = createAuthenticationRequest(context, signingCredentials);
 		return Saml2PostAuthenticationRequest.withAuthenticationRequestContext(context)
 				.samlRequest(samlEncode(xml.getBytes(UTF_8)))
 				.build();
@@ -69,7 +71,8 @@ public Saml2PostAuthenticationRequest createPostAuthenticationRequest(Saml2Authe
 	 */
 	@Override
 	public Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext context) {
-		String xml = createAuthenticationRequest(context, emptyList());
+		AuthnRequest authnRequest = createAuthnRequest(context);
+		String xml = this.saml.serialize(authnRequest);
 		Builder result = Saml2RedirectAuthenticationRequest.withAuthenticationRequestContext(context);
 		String deflatedAndEncoded = samlEncode(samlDeflate(xml));
 		result.samlRequest(deflatedAndEncoded)
@@ -91,27 +94,24 @@ public Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest(Sa
 		return result.build();
 	}
 
-	private String createAuthenticationRequest(Saml2AuthenticationRequestContext request, List<Saml2X509Credential> credentials) {
-		return createAuthenticationRequest(Saml2AuthenticationRequest.withAuthenticationRequestContext(request).build(), credentials);
+	private AuthnRequest createAuthnRequest(Saml2AuthenticationRequestContext context) {
+		return createAuthnRequest(context.getIssuer(),
+				context.getDestination(), context.getAssertionConsumerServiceUrl());
 	}
 
-	private String createAuthenticationRequest(Saml2AuthenticationRequest context, List<Saml2X509Credential> credentials) {
-		AuthnRequest auth = this.saml.buildSAMLObject(AuthnRequest.class);
+	private AuthnRequest createAuthnRequest(String issuer, String destination, String assertionConsumerServiceUrl) {
+		AuthnRequest auth = this.saml.buildSamlObject(AuthnRequest.DEFAULT_ELEMENT_NAME);
 		auth.setID("ARQ" + UUID.randomUUID().toString().substring(1));
 		auth.setIssueInstant(new DateTime(this.clock.millis()));
 		auth.setForceAuthn(Boolean.FALSE);
 		auth.setIsPassive(Boolean.FALSE);
 		auth.setProtocolBinding(protocolBinding);
-		Issuer issuer = this.saml.buildSAMLObject(Issuer.class);
-		issuer.setValue(context.getIssuer());
-		auth.setIssuer(issuer);
-		auth.setDestination(context.getDestination());
-		auth.setAssertionConsumerServiceURL(context.getAssertionConsumerServiceUrl());
-		return this.saml.toXml(
-				auth,
-				credentials,
-				context.getIssuer()
-		);
+		Issuer iss = this.saml.buildSamlObject(Issuer.DEFAULT_ELEMENT_NAME);
+		iss.setValue(issuer);
+		auth.setIssuer(iss);
+		auth.setDestination(destination);
+		auth.setAssertionConsumerServiceURL(assertionConsumerServiceUrl);
+		return auth;
 	}
 
 	/**
 
@@ -16,6 +16,16 @@
 
 package org.springframework.security.saml2.provider.service.authentication;
 
+import java.io.ByteArrayInputStream;
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import javax.xml.XMLConstants;
+import javax.xml.namespace.QName;
+
 import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
 import net.shibboleth.utilities.java.support.xml.BasicParserPool;
 import net.shibboleth.utilities.java.support.xml.SerializeSupport;
@@ -24,13 +34,14 @@
 import org.opensaml.core.config.InitializationException;
 import org.opensaml.core.config.InitializationService;
 import org.opensaml.core.xml.XMLObject;
+import org.opensaml.core.xml.XMLObjectBuilderFactory;
 import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
 import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
 import org.opensaml.core.xml.io.MarshallerFactory;
 import org.opensaml.core.xml.io.MarshallingException;
 import org.opensaml.core.xml.io.UnmarshallerFactory;
 import org.opensaml.core.xml.io.UnmarshallingException;
-import org.opensaml.saml.common.SignableSAMLObject;
+import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
 import org.opensaml.security.SecurityException;
 import org.opensaml.security.credential.BasicCredential;
@@ -47,35 +58,26 @@
 import org.opensaml.xmlsec.signature.support.SignatureConstants;
 import org.opensaml.xmlsec.signature.support.SignatureException;
 import org.opensaml.xmlsec.signature.support.SignatureSupport;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
 import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.credentials.Saml2X509Credential;
-import org.springframework.security.saml2.provider.service.authentication.Saml2Utils;
 import org.springframework.util.Assert;
 import org.springframework.web.util.UriUtils;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import javax.xml.XMLConstants;
-import javax.xml.namespace.QName;
-import java.io.ByteArrayInputStream;
-import java.nio.charset.Charset;
-import java.nio.charset.StandardCharsets;
-import java.util.HashMap;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
 
 import static java.lang.Boolean.FALSE;
 import static java.lang.Boolean.TRUE;
 import static java.util.Arrays.asList;
-import static org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport.getBuilderFactory;
 import static org.springframework.util.StringUtils.hasText;
 
 /**
  * @since 5.2
  */
 final class OpenSamlImplementation {
 	private static OpenSamlImplementation instance = new OpenSamlImplementation();
+	private static XMLObjectBuilderFactory xmlObjectBuilderFactory =
+			XMLObjectProviderRegistrySupport.getBuilderFactory();
 
 	private final BasicParserPool parserPool = new BasicParserPool();
 	private final EncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(
@@ -167,37 +169,31 @@ EncryptedKeyResolver getEncryptedKeyResolver() {
 		return this.encryptedKeyResolver;
 	}
 
-	<T> T buildSAMLObject(final Class<T> clazz) {
-		try {
-			QName defaultElementName = (QName) clazz.getDeclaredField("DEFAULT_ELEMENT_NAME").get(null);
-			return (T) getBuilderFactory().getBuilder(defaultElementName).buildObject(defaultElementName);
-		}
-		catch (NoSuchFieldException | IllegalAccessException e) {
-			throw new Saml2Exception("Could not create SAML object", e);
-		}
+	<T> T buildSamlObject(QName qName) {
+		return (T) xmlObjectBuilderFactory.getBuilder(qName).buildObject(qName);
 	}
 
 	XMLObject resolve(String xml) {
 		return resolve(xml.getBytes(StandardCharsets.UTF_8));
 	}
 
-	String toXml(XMLObject object, List<Saml2X509Credential> signingCredentials, String localSpEntityId) {
-		if (object instanceof SignableSAMLObject && null != hasSigningCredential(signingCredentials)) {
-			signXmlObject(
-					(SignableSAMLObject) object,
-					signingCredentials,
-					localSpEntityId
-			);
-		}
+	String serialize(XMLObject xmlObject) {
 		final MarshallerFactory marshallerFactory = XMLObjectProviderRegistrySupport.getMarshallerFactory();
 		try {
-			Element element = marshallerFactory.getMarshaller(object).marshall(object);
+			Element element = marshallerFactory.getMarshaller(xmlObject).marshall(xmlObject);
 			return SerializeSupport.nodeToString(element);
 		} catch (MarshallingException e) {
 			throw new Saml2Exception(e);
 		}
 	}
 
+	String serialize(AuthnRequest authnRequest, List<Saml2X509Credential> signingCredentials) {
+		if (hasSigningCredential(signingCredentials) != null) {
+			signAuthnRequest(authnRequest, signingCredentials);
+		}
+		return serialize(authnRequest);
+	}
+
 	/**
 	 * Returns query parameter after creating a Query String signature
 	 * All return values are unencoded and will need to be encoded prior to sending
@@ -306,15 +302,15 @@ private Credential getSigningCredential(List<Saml2X509Credential> signingCredent
 		return cred;
 	}
 
-	private void signXmlObject(SignableSAMLObject object, List<Saml2X509Credential> signingCredentials, String entityId) {
+	private void signAuthnRequest(AuthnRequest authnRequest, List<Saml2X509Credential> signingCredentials) {
 		SignatureSigningParameters parameters = new SignatureSigningParameters();
-		Credential credential = getSigningCredential(signingCredentials, entityId);
+		Credential credential = getSigningCredential(signingCredentials, authnRequest.getIssuer().getValue());
 		parameters.setSigningCredential(credential);
 		parameters.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
 		parameters.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
 		parameters.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
 		try {
-			SignatureSupport.signObject(object, parameters);
+			SignatureSupport.signObject(authnRequest, parameters);
 		} catch (MarshallingException | SignatureException | SecurityException e) {
 			throw new Saml2Exception(e);
 		}