ulisesbocchio / spring-boot-security-saml

spring-security-saml integration with Spring Boot
MIT License
158 stars 73 forks source link

saml.sso.metadata-generator.entity-base-url must not end in / #63

Closed candrews closed 5 years ago

candrews commented 6 years ago

The value of saml.sso.metadata-generator.entity-base-url must not end in a slash - if it does, Spring Security SAML will generate invalid URLs for in the assertions.

For example, with saml.sso.metadata-generator.entity-base-url=http://localhost:8080/ the authentication assertion generated is:

<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8080//saml/SSO" Destination="https://REDACTED/sso/saml/authenticate" ForceAuthn="false" ID="a1gafgbc456ed2ibhdcbdgc5b17107" IsPassive="false" IssueInstant="2018-04-27T14:35:31.456Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost</saml2:Issuer><saml2p:Scoping ProxyCount="2"/></saml2p:AuthnRequest>

The problem is caused in org.springframework.security.saml.metadata.MetadataGenerator.getServerURL(String, String, String, Map<String, String>), it's called as getServerURL("http://localhost:8080/", null, "/saml/SSO", null) and returns "http://localhost:8080//saml/SSO"

I suggest that either:

  1. a validation pattern be placed on com.github.ulisesbocchio.spring.boot.security.saml.properties.MetadataGeneratorProperties.entityBaseUrl such as @Pattern(regexp = "[^\\/]$", message="must not end in /")
  2. The trailing slash be stripped when the property is set
candrews commented 6 years ago

Reported upstream at https://github.com/spring-projects/spring-security-saml/pull/238

ulisesbocchio commented 6 years ago

thanks @candrews feel free to submit pull request for either of your suggested solutions