This is an automated email from the ASF dual-hosted git repository.
pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 8ebecdc3ab NIFI-11554 Upgraded OpenSAML from 3.4.6 to 4.3.0
8ebecdc3ab is described below
commit 8ebecdc3abf8a42fe08c6d4fca0d6abe5ad83808
Author: exceptionfactory <[email protected]>
AuthorDate: Mon May 15 21:40:56 2023 -0500
NIFI-11554 Upgraded OpenSAML from 3.4.6 to 4.3.0
- Added Shibboleth repository for OpenSAML
- Replaced deprecated OpenSAML 3 Spring Security components with OpenSAML 4
Signed-off-by: Pierre Villard <[email protected]>
This closes #7251.
---
.../SamlAuthenticationSecurityConfiguration.java | 40 ++++++++++------------
.../StandardSaml2CredentialProvider.java | 2 +-
.../ResponseAuthenticationConverter.java | 7 ++--
nifi-nar-bundles/nifi-framework-bundle/pom.xml | 30 ++++++++++++++++
4 files changed, 52 insertions(+), 27 deletions(-)
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java
index 097e6a68ab..8cc90d370c 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java
@@ -45,7 +45,7 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import
org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
-import
org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider;
+import
org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
import
org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutRequestValidator;
import
org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutResponseValidator;
import
org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator;
@@ -55,16 +55,16 @@ import
org.springframework.security.saml2.provider.service.metadata.Saml2Metadat
import
org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
-import
org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
-import
org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter;
+import
org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
+import
org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter;
import
org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import
org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository;
import
org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
import
org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;
-import
org.springframework.security.saml2.provider.service.web.authentication.OpenSaml3AuthenticationRequestResolver;
+import
org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
import
org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver;
-import
org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml3LogoutRequestResolver;
-import
org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml3LogoutResponseResolver;
+import
org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutRequestResolver;
+import
org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutResponseResolver;
import
org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestFilter;
import
org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestRepository;
import
org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver;
@@ -218,26 +218,24 @@ public class SamlAuthenticationSecurityConfiguration {
/**
* Spring Security OpenSAML Authentication Provider for processing SAML 2
login responses
*
- * @return OpenSAML 3 Authentication Provider required for compatibility
with Java 8
+ * @return OpenSAML 4 Authentication Provider compatible with Java 11
*/
- @SuppressWarnings("deprecation")
@Bean
- public OpenSamlAuthenticationProvider openSamlAuthenticationProvider() {
- final OpenSamlAuthenticationProvider provider = new
OpenSamlAuthenticationProvider();
+ public OpenSaml4AuthenticationProvider openSamlAuthenticationProvider() {
+ final OpenSaml4AuthenticationProvider provider = new
OpenSaml4AuthenticationProvider();
final ResponseAuthenticationConverter responseAuthenticationConverter
= new ResponseAuthenticationConverter(properties.getSamlGroupAttributeName());
provider.setResponseAuthenticationConverter(responseAuthenticationConverter);
return provider;
}
/**
- * Spring Security SAML 2 Authentication Request Resolver uses OpenSAML 3
for compatibility with Java 8
+ * Spring Security SAML 2 Authentication Request Resolver uses OpenSAML 4
*
- * @return OpenSAML 3 version of SAML 2 Authentication Request Resolver
+ * @return OpenSAML 4 version of SAML 2 Authentication Request Resolver
*/
- @SuppressWarnings("deprecation")
@Bean
public Saml2AuthenticationRequestResolver
saml2AuthenticationRequestResolver() {
- return new
OpenSaml3AuthenticationRequestResolver(relyingPartyRegistrationResolver());
+ return new
OpenSaml4AuthenticationRequestResolver(relyingPartyRegistrationResolver());
}
/**
@@ -261,25 +259,23 @@ public class SamlAuthenticationSecurityConfiguration {
}
/**
- * Spring Security SAML 2 Logout Request Resolver uses OpenSAML 3 for
compatibility with Java 8
+ * Spring Security SAML 2 Logout Request Resolver uses OpenSAML 4
*
- * @return OpenSAML 3 version of SAML 2 Logout Request Resolver
+ * @return OpenSAML 4 version of SAML 2 Logout Request Resolver
*/
- @SuppressWarnings("deprecation")
@Bean
public Saml2LogoutRequestResolver saml2LogoutRequestResolver() {
- return new
OpenSaml3LogoutRequestResolver(relyingPartyRegistrationResolver());
+ return new
OpenSaml4LogoutRequestResolver(relyingPartyRegistrationResolver());
}
/**
- * Spring Security SAML 2 Logout Response Resolver uses OpenSAML 3 for
compatibility with Java 8
+ * Spring Security SAML 2 Logout Response Resolver uses OpenSAML 4
*
- * @return OpenSAML 3 version of SAML 2 Logout Response Resolver
+ * @return OpenSAML 4 version of SAML 2 Logout Response Resolver
*/
- @SuppressWarnings("deprecation")
@Bean
public Saml2LogoutResponseResolver saml2LogoutResponseResolver() {
- return new
OpenSaml3LogoutResponseResolver(relyingPartyRegistrationResolver());
+ return new
OpenSaml4LogoutResponseResolver(relyingPartyRegistrationResolver());
}
/**
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/registration/StandardSaml2CredentialProvider.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/registration/StandardSaml2CredentialProvider.java
index 64b7179ca8..c39a5899db 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/registration/StandardSaml2CredentialProvider.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/registration/StandardSaml2CredentialProvider.java
@@ -70,7 +70,7 @@ public class StandardSaml2CredentialProvider implements
Saml2CredentialProvider
try {
return keyStore.getKey(alias, keyPassword);
} catch (final GeneralSecurityException e) {
- throw new Saml2Exception(String.format("Loading Key [%s] failed",
alias));
+ throw new Saml2Exception(String.format("Loading Key [%s] failed",
alias), e);
}
}
diff --git
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/service/authentication/ResponseAuthenticationConverter.java
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/service/authentication/ResponseAuthenticationConverter.java
index f2a8e8e95a..f3a38d8ac7 100644
---
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/service/authentication/ResponseAuthenticationConverter.java
+++
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/service/authentication/ResponseAuthenticationConverter.java
@@ -24,8 +24,8 @@ import org.opensaml.saml.saml2.core.Assertion;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import
org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider;
-import
org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken;
+import
org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
+import
org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken;
import
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
import
org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
@@ -39,8 +39,7 @@ import java.util.stream.Collectors;
* Converter from SAML 2 Response Token to SAML 2 Authentication for Spring
Security
*/
public class ResponseAuthenticationConverter implements
Converter<ResponseToken, Saml2Authentication> {
- @SuppressWarnings("deprecation")
- private static final Converter<ResponseToken, Saml2Authentication>
defaultConverter =
OpenSamlAuthenticationProvider.createDefaultResponseAuthenticationConverter();
+ private static final Converter<ResponseToken, Saml2Authentication>
defaultConverter =
OpenSaml4AuthenticationProvider.createDefaultResponseAuthenticationConverter();
private final String groupAttributeName;
diff --git a/nifi-nar-bundles/nifi-framework-bundle/pom.xml
b/nifi-nar-bundles/nifi-framework-bundle/pom.xml
index 02231958af..e0114b5d11 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/pom.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/pom.xml
@@ -25,6 +25,7 @@
<properties>
<curator.version>5.5.0</curator.version>
<tika.version>2.8.0</tika.version>
+ <org.opensaml.version>4.3.0</org.opensaml.version>
</properties>
<modules>
<module>nifi-framework</module>
@@ -33,6 +34,19 @@
<module>nifi-headless-server-nar</module>
<module>nifi-framework-external-resource-utils</module>
</modules>
+ <repositories>
+ <!-- Shibboleth Repository required for OpenSAML -->
+ <repository>
+ <id>shibboleth</id>
+
<url>https://build.shibboleth.net/nexus/content/repositories/releases/</url>
+ <releases>
+ <enabled>true</enabled>
+ </releases>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ </repository>
+ </repositories>
<dependencyManagement>
<dependencies>
<dependency>
@@ -425,6 +439,22 @@
<artifactId>spring-security-kerberos-core</artifactId>
<version>1.0.1.RELEASE</version>
</dependency>
+ <!-- Override OpenSAML to version 4 for Spring Security SAML -->
+ <dependency>
+ <groupId>org.opensaml</groupId>
+ <artifactId>opensaml-core</artifactId>
+ <version>${org.opensaml.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.opensaml</groupId>
+ <artifactId>opensaml-saml-api</artifactId>
+ <version>${org.opensaml.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.opensaml</groupId>
+ <artifactId>opensaml-saml-impl</artifactId>
+ <version>${org.opensaml.version}</version>
+ </dependency>
<!-- Override xmlsec from spring-security-saml2-service-provider
-->
<dependency>
<groupId>org.apache.santuario</groupId>
