Authentication statement is too old and maxAuthenticationAge

spring-attic / spring-security-saml

SAML extension for the Spring Security project

Other

419 stars 482 forks source link

Authentication statement is too old and maxAuthenticationAge #448

Closed vrepetenko closed 4 years ago

vrepetenko commented 5 years ago

Hi,

can not find out how to change maxAuthenticationAge in version 2.0.0.M30. Any hint?

MikeN123 commented 5 years ago

It's in DefaultValidator, you can override samlValidator() in SamlServiceProviderServerBeanConfiguration to configure it.

ekaterinasmarp commented 5 years ago

Hi,

The way how we overriden it is the same as @MikeN123 suggested. The problem that I found there was the integer type of maxAuthenticationAge. We wanted to set it to one year and it is inpossible to fit one year milliseconds inside int datatype so that I needed to override isDateTimeSkewValid method as well.

We were thinking about creation the pull request addressing this problem but not sure about backward compatibility. Any suggestions from the authors?

vrepetenko commented 5 years ago

Hi,

thanks for reply!

I just added in Application SecurityConfigurationn class:

    public SecurityConfiguration(@Autowired  SamlValidator samlValidator) {
        this.samlValidator = samlValidator;
        ((DefaultValidator)this.samlValidator).setMaxAuthenticationAgeMillis(2073600000); // 24 days
    }

I agree that Integer is too shot for this property.....

jzheaux commented 4 years ago

I believe this is resolved by https://github.com/spring-projects/spring-security-saml/pull/470