search

spring-attic / spring-security-saml

SAML extension for the Spring Security project
Other
419 stars 484 forks source link

org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest is not serializable #519

Closed a5rar closed 2 years ago

a5rar commented 2 years ago

I have been using spring-security-saml2-service-provider with the latest spring boot version 2.6.1, Everything appears to be working as expected, however when i added spring-boot-starter-data-redis in order to externalize the session i hit the serialization error.

Im not entirely sure why Saml2RedirectAuthenticationRequest is not serializable, also trying to figure out if this is an issue with spring-session or spring-security-saml Caused by: java.lang.IllegalArgumentException: DefaultSerializer requires a Serializable payload but received an object of type [org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest] at org.springframework.core.serializer.DefaultSerializer.serialize(DefaultSerializer.java:43) ~[spring-core-5.3.13.jar:5.3.13] at org.springframework.core.serializer.Serializer.serializeToByteArray(Serializer.java:56) ~[spring-core-5.3.13.jar:5.3.13] at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:60) ~[spring-core-5.3.13.jar:5.3.13] at org.springframework.core.serializer.support.SerializingConverter.convert(SerializingConverter.java:33) ~[spring-core-5.3.13.jar:5.3.13] at org.springframework.data.redis.serializer.JdkSerializationRedisSerializer.serialize(JdkSerializationRedisSerializer.java:94) ~[spring-data-redis-2.6.0

This is my security config

    Converter<HttpServletRequest, RelyingPartyRegistration> relyingPartyRegistrationResolver =
        new DefaultRelyingPartyRegistrationResolver(relyingPartyRegistrations());
    Saml2MetadataFilter filter = new Saml2MetadataFilter(
        relyingPartyRegistrationResolver,
        new OpenSamlMetadataResolver());

  http .csrf().disable()
        .saml2Login(withDefaults())
        .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class)
        .antMatcher("/**")
        .authorizeRequests()
        .antMatchers("/actuator/**","/css/**", "/images/**", "/js/**","/favicon.ico")
        .permitAll()
        .anyRequest().authenticated()
        .and().logout().addLogoutHandler((request, response, authentication) -> {
          request.getSession().invalidate();
          try {
            response.sendRedirect(logoutUrl);
          } catch (IOException e) {
            logger.error("Failed to redirect to portal");
            throw new RuntimeException("Failed to  redirect to portal",e);
          }
        });
jzheaux commented 2 years ago

Thanks for posting, @a5rar. I'm closing this as a duplicate of https://github.com/spring-projects/spring-security/issues/10550