Sample mvp/minimal

[rwinch]

• Move sample source to a top level package named sample. This is likely how we will structure the code for the actual sample as it makes it less for the user to navigate through. For now it also makes it more obvious what is part of the sample and what will later be extracted out
• I don't expect we will have multiple versions of Saml2Authentication so I'd suggest removing the interface in favor of a class named Saml2Authentication
• DefaultSaml2Authentication
  • Consider extending AbstractAuthenticationToken
  • Most Authentication implementations don't inject authenticated. Instead that is determined by the constructor invoked. If the constructor accepts GrantedAuthoritys then the user is authenticated, else not
  • I'd suggest allowing the GrantedAuthority to be injected
• Saml2WebSsoAuthenticationFilter
  • Currently the Saml2AuthenticationResponseResolver resolves an Authentication that indicates it is already authenticated and then passes that into the AuthenticationManager which should not be the case
  • Rather than using Saml2AuthenticationResponseResolver, I'd suggest creating a Saml2Authentication that contains only the information necessary for validation (i.e. the SAMLResponse and the Saml2IdentityProviderRegistration). Then create a Saml2AuthenticationProvider that validates using the information in the Saml2Authentication.

[fhanik]

Move sample source to a top level package named sample. This is likely how we will structure the code for the actual sample as it makes it less for the user to navigate through. For now it also makes it more obvious what is part of the sample and what will later be extracted out

Completed.

I don't expect we will have multiple versions of Saml2Authentication so I'd suggest removing the interface in favor of a class named Saml2Authentication DefaultSaml2Authentication

Completed.

Consider extending AbstractAuthenticationToken

Completed.

Most Authentication implementations don't inject authenticated. Instead that is determined by the constructor invoked. If the constructor accepts GrantedAuthoritys then the user is authenticated, else not I'd suggest allowing the GrantedAuthority to be injected

Completed.

Saml2WebSsoAuthenticationFilter Currently the Saml2AuthenticationResponseResolver resolves an Authentication that indicates it is already authenticated and then passes that into the AuthenticationManager which should not be the case Rather than using Saml2AuthenticationResponseResolver, I'd suggest creating a Saml2Authentication that contains only the information necessary for validation (i.e. the SAMLResponse and the Saml2IdentityProviderRegistration). Then create a Saml2AuthenticationProvider that validates using the information in the Saml2Authentication.

This got rid of the resolver all together. The filter extracts the necessary data, and authentication provider processes it.

Saml logic only in the authentication provider.