Add SecurityContextHolderStrategy XML Configuration for Saml2

Issue gh-11061

Author: jzheaux

config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java

@@ -239,7 +239,7 @@ final class AuthenticationConfigBuilder {
 		createX509Filter(authenticationManager, authenticationFilterSecurityContextHolderStrategyRef);
 		createJeeFilter(authenticationManager, authenticationFilterSecurityContextHolderStrategyRef);
 		createLogoutFilter(authenticationFilterSecurityContextHolderStrategyRef);
-		createSaml2LogoutFilter();
+		createSaml2LogoutFilter(authenticationFilterSecurityContextHolderStrategyRef);
 		createLoginPageFilterIfNeeded();
 		createUserDetailsServiceFactory();
 		createExceptionTranslationFilter(authenticationFilterSecurityContextHolderStrategyRef);
@@ -635,13 +635,13 @@ void createLogoutFilter(BeanMetadataElement authenticationFilterSecurityContextH
 		}
 	}
 
-	private void createSaml2LogoutFilter() {
+	private void createSaml2LogoutFilter(BeanMetadataElement authenticationFilterSecurityContextHolderStrategyRef) {
 		Element saml2LogoutElt = DomUtils.getChildElementByTagName(this.httpElt, Elements.SAML2_LOGOUT);
 		if (saml2LogoutElt == null) {
 			return;
 		}
 		Saml2LogoutBeanDefinitionParser parser = new Saml2LogoutBeanDefinitionParser(this.logoutHandlers,
-				this.logoutSuccessHandler);
+				this.logoutSuccessHandler, authenticationFilterSecurityContextHolderStrategyRef);
 		parser.parse(saml2LogoutElt, this.pc);
 		BeanDefinition saml2LogoutFilter = parser.getLogoutFilter();
 		BeanDefinition saml2LogoutRequestFilter = parser.getLogoutRequestFilter();

config/src/main/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParser.java

@@ -77,10 +77,14 @@ final class Saml2LogoutBeanDefinitionParser implements BeanDefinitionParser {
 
 	private BeanDefinition logoutFilter;
 
+	private BeanMetadataElement authenticationFilterSecurityContextHolderStrategy;
+
 	Saml2LogoutBeanDefinitionParser(ManagedList<BeanMetadataElement> logoutHandlers,
-			BeanMetadataElement logoutSuccessHandler) {
+			BeanMetadataElement logoutSuccessHandler,
+			BeanMetadataElement authenticationFilterSecurityContextHolderStrategy) {
 		this.logoutHandlers = logoutHandlers;
 		this.logoutSuccessHandler = logoutSuccessHandler;
+		this.authenticationFilterSecurityContextHolderStrategy = authenticationFilterSecurityContextHolderStrategy;
 	}
 
 	@Override
@@ -119,7 +123,10 @@ public BeanDefinition parse(Element element, ParserContext pc) {
 		this.logoutRequestFilter = BeanDefinitionBuilder.rootBeanDefinition(Saml2LogoutRequestFilter.class)
 				.addConstructorArgValue(registrations).addConstructorArgValue(logoutRequestValidator)
 				.addConstructorArgValue(logoutResponseResolver).addConstructorArgValue(this.logoutHandlers)
-				.addPropertyValue("logoutRequestMatcher", logoutRequestMatcher).getBeanDefinition();
+				.addPropertyValue("logoutRequestMatcher", logoutRequestMatcher)
+				.addPropertyValue("securityContextHolderStrategy",
+						this.authenticationFilterSecurityContextHolderStrategy)
+				.getBeanDefinition();
 		BeanMetadataElement logoutResponseValidator = Saml2LogoutBeanDefinitionParserUtils
 				.getLogoutResponseValidator(element);
 		BeanMetadataElement logoutRequestRepository = Saml2LogoutBeanDefinitionParserUtils

config/src/test/java/org/springframework/security/config/http/Saml2LoginBeanDefinitionParserTests.java

@@ -32,6 +32,7 @@
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.saml2.core.Saml2ParameterNames;
 import org.springframework.security.saml2.core.Saml2Utils;
 import org.springframework.security.saml2.core.TestSaml2X509Credentials;
@@ -61,6 +62,7 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -178,6 +180,23 @@ public void authenticateWhenAuthenticationResponseValidThenAuthenticate() throws
 		assertThat(authentication.getPrincipal()).isInstanceOf(Saml2AuthenticatedPrincipal.class);
 	}
 
+	@Test
+	public void authenticateWhenCustomSecurityContextHolderStrategyThenUses() throws Exception {
+		this.spring.configLocations(this.xml("WithCustomSecurityContextHolderStrategy")).autowire();
+		RelyingPartyRegistration relyingPartyRegistration = relyingPartyRegistrationWithVerifyingCredential();
+		// @formatter:off
+		this.mvc.perform(post("/login/saml2/sso/" + relyingPartyRegistration.getRegistrationId()).param(Saml2ParameterNames.SAML_RESPONSE, SIGNED_RESPONSE))
+				.andDo(MockMvcResultHandlers.print())
+				.andExpect(status().is2xxSuccessful());
+		// @formatter:on
+		ArgumentCaptor<Authentication> authenticationCaptor = ArgumentCaptor.forClass(Authentication.class);
+		verify(this.authenticationSuccessHandler).onAuthenticationSuccess(any(), any(), authenticationCaptor.capture());
+		Authentication authentication = authenticationCaptor.getValue();
+		assertThat(authentication.getPrincipal()).isInstanceOf(Saml2AuthenticatedPrincipal.class);
+		SecurityContextHolderStrategy strategy = this.spring.getContext().getBean(SecurityContextHolderStrategy.class);
+		verify(strategy, atLeastOnce()).getContext();
+	}
+
 	@Test
 	public void authenticateWhenAuthenticationResponseValidThenAuthenticationSuccessEventPublished() throws Exception {
 		this.spring.configLocations(this.xml("WithCustomRelyingPartyRepository")).autowire();

config/src/test/java/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParserTests.java

@@ -35,6 +35,7 @@
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.saml2.core.Saml2Utils;
 import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal;
 import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
@@ -63,6 +64,7 @@
 import static org.hamcrest.Matchers.containsString;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.verify;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.authentication;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
@@ -233,6 +235,23 @@ public void saml2LogoutRequestWhenDefaultsThenLogsOutAndSendsLogoutResponse() th
 		assertThat(location).startsWith("https://ap.example.org/logout/saml2/response");
 	}
 
+	@Test
+	public void saml2LogoutRequestWhenCustomSecurityContextHolderStrategyThenUses() throws Exception {
+		this.spring.configLocations(this.xml("WithSecurityContextHolderStrategy")).autowire();
+		DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal("user",
+				Collections.emptyMap());
+		principal.setRelyingPartyRegistrationId("get");
+		Saml2Authentication user = new Saml2Authentication(principal, "response",
+				AuthorityUtils.createAuthorityList("ROLE_USER"));
+		MvcResult result = this.mvc.perform(get("/logout/saml2/slo").param("SAMLRequest", this.apLogoutRequest)
+				.param("RelayState", this.apLogoutRequestRelayState).param("SigAlg", this.apLogoutRequestSigAlg)
+				.param("Signature", this.apLogoutRequestSignature).with(samlQueryString()).with(authentication(user)))
+				.andExpect(status().isFound()).andReturn();
+		String location = result.getResponse().getHeader("Location");
+		assertThat(location).startsWith("https://ap.example.org/logout/saml2/response");
+		verify(getBean(SecurityContextHolderStrategy.class), atLeastOnce()).getContext();
+	}
+
 	@Test
 	public void saml2LogoutRequestWhenNoRegistrationThen400() throws Exception {
 		this.spring.configLocations(this.xml("Default")).autowire();

config/src/test/resources/org/springframework/security/config/http/Saml2LoginBeanDefinitionParserTests-WithCustomSecurityContextHolderStrategy.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2021 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xmlns="http://www.springframework.org/schema/security"
+		 xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true" security-context-holder-strategy-ref="ref">
+		<intercept-url pattern="/**" access="authenticated"/>
+		<saml2-login authentication-success-handler-ref="authenticationSuccessHandler" relying-party-registration-repository-ref="relyingPartyRegistrationRepository"/>
+	</http>
+
+	<b:bean id="ref" class="org.mockito.Mockito" factory-method="spy">
+		<b:constructor-arg>
+			<b:bean class="org.springframework.security.config.MockSecurityContextHolderStrategy"/>
+		</b:constructor-arg>
+	</b:bean>
+
+	<b:bean id="authenticationSuccessListener" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.context.ApplicationListener"/>
+	</b:bean>
+	<b:bean id="authenticationSuccessHandler" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.security.web.authentication.AuthenticationSuccessHandler"/>
+	</b:bean>
+	<b:bean id="relyingPartyRegistrationRepository" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository"/>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>

config/src/test/resources/org/springframework/security/config/http/Saml2LogoutBeanDefinitionParserTests-WithSecurityContextHolderStrategy.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2022 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true" security-context-holder-strategy-ref="ref">
+		<intercept-url pattern="/**" access="authenticated"/>
+		<saml2-login/>
+		<saml2-logout/>
+	</http>
+
+	<b:bean id="ref" class="org.mockito.Mockito" factory-method="spy">
+		<b:constructor-arg>
+			<b:bean class="org.springframework.security.config.MockSecurityContextHolderStrategy"/>
+		</b:constructor-arg>
+	</b:bean>
+
+	<b:import resource="userservice.xml"/>
+	<b:import resource="../saml2/logout-registrations.xml"/>
+</b:beans>