Upgrade to Spring Security 5.4.0-SNAPSHOT

See gh-22668

Author: bclozel

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java

@@ -20,7 +20,6 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPrivateKey;
-import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
@@ -34,8 +33,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.Resource;
 import org.springframework.security.converter.RsaKeyConverters;
-import org.springframework.security.saml2.credentials.Saml2X509Credential;
-import org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType;
+import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
@@ -69,15 +67,19 @@ private RelyingPartyRegistration asRegistration(String id, Registration properti
 		boolean signRequest = properties.getIdentityprovider().getSinglesignon().isSignRequest();
 		validateSigningCredentials(properties, signRequest);
 		RelyingPartyRegistration.Builder builder = RelyingPartyRegistration.withRegistrationId(id);
-		builder.assertionConsumerServiceUrlTemplate(
+		builder.assertionConsumerServiceLocation(
 				"{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI);
-		builder.providerDetails(
-				(details) -> details.webSsoUrl(properties.getIdentityprovider().getSinglesignon().getUrl()));
-		builder.providerDetails((details) -> details.entityId(properties.getIdentityprovider().getEntityId()));
-		builder.providerDetails(
-				(details) -> details.binding(properties.getIdentityprovider().getSinglesignon().getBinding()));
-		builder.providerDetails((details) -> details.signAuthNRequest(signRequest));
-		builder.credentials((credentials) -> credentials.addAll(asCredentials(properties)));
+		builder.assertingPartyDetails((details) -> {
+			details.singleSignOnServiceLocation(properties.getIdentityprovider().getSinglesignon().getUrl());
+			details.entityId(properties.getIdentityprovider().getEntityId());
+			details.singleSignOnServiceBinding(properties.getIdentityprovider().getSinglesignon().getBinding());
+			details.wantAuthnRequestsSigned(signRequest);
+		});
+		builder.signingX509Credentials((credentials) -> properties.getSigning().getCredentials().stream()
+				.map(this::asSigningCredential).forEach(credentials::add));
+		builder.assertingPartyDetails((details) -> details
+				.verificationX509Credentials((credentials) -> properties.getIdentityprovider().getVerification()
+						.getCredentials().stream().map(this::asVerificationCredential).forEach(credentials::add)));
 		return builder.build();
 	}
 
@@ -88,25 +90,17 @@ private void validateSigningCredentials(Registration properties, boolean signReq
 		}
 	}
 
-	private List<Saml2X509Credential> asCredentials(Registration properties) {
-		List<Saml2X509Credential> credentials = new ArrayList<>();
-		properties.getSigning().getCredentials().stream().map(this::asSigningCredential).forEach(credentials::add);
-		properties.getIdentityprovider().getVerification().getCredentials().stream().map(this::asVerificationCredential)
-				.forEach(credentials::add);
-		return credentials;
-	}
-
 	private Saml2X509Credential asSigningCredential(Signing.Credential properties) {
 		RSAPrivateKey privateKey = readPrivateKey(properties.getPrivateKeyLocation());
 		X509Certificate certificate = readCertificate(properties.getCertificateLocation());
-		return new Saml2X509Credential(privateKey, certificate, Saml2X509CredentialType.SIGNING,
-				Saml2X509CredentialType.DECRYPTION);
+		return new Saml2X509Credential(privateKey, certificate, Saml2X509Credential.Saml2X509CredentialType.SIGNING,
+				Saml2X509Credential.Saml2X509CredentialType.DECRYPTION);
 	}
 
 	private Saml2X509Credential asVerificationCredential(Verification.Credential properties) {
 		X509Certificate certificate = readCertificate(properties.getCertificateLocation());
-		return new Saml2X509Credential(certificate, Saml2X509CredentialType.ENCRYPTION,
-				Saml2X509CredentialType.VERIFICATION);
+		return new Saml2X509Credential(certificate, Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION,
+				Saml2X509Credential.Saml2X509CredentialType.VERIFICATION);
 	}
 
 	private RSAPrivateKey readPrivateKey(Resource location) {

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java

@@ -105,7 +105,7 @@ void autoConfigurationUsingJwkSetUriShouldConfigureResourceServerUsingJwsAlgorit
 						"spring.security.oauth2.resourceserver.jwt.jws-algorithm=RS512")
 				.run((context) -> {
 					NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder = context.getBean(NimbusReactiveJwtDecoder.class);
-					assertThat(nimbusReactiveJwtDecoder).extracting("jwtProcessor.arg$2")
+					assertThat(nimbusReactiveJwtDecoder).extracting("jwtProcessor.arg$2.arg$1.jwsAlgs")
 							.matches((algorithms) -> ((Set<JWSAlgorithm>) algorithms).contains(JWSAlgorithm.RS512));
 				});
 	}

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerAutoConfigurationTests.java

@@ -98,7 +98,8 @@ void autoConfigurationShouldMatchDefaultJwsAlgorithm() {
 					JwtDecoder jwtDecoder = context.getBean(JwtDecoder.class);
 					Object processor = ReflectionTestUtils.getField(jwtDecoder, "jwtProcessor");
 					Object keySelector = ReflectionTestUtils.getField(processor, "jwsKeySelector");
-					assertThat(keySelector).hasFieldOrPropertyWithValue("jwsAlg", JWSAlgorithm.RS256);
+					assertThat(keySelector).hasFieldOrPropertyWithValue("jwsAlgs",
+							Collections.singleton(JWSAlgorithm.RS256));
 				});
 	}
 
@@ -111,7 +112,8 @@ void autoConfigurationShouldConfigureResourceServerWithJwsAlgorithm() {
 					JwtDecoder jwtDecoder = context.getBean(JwtDecoder.class);
 					Object processor = ReflectionTestUtils.getField(jwtDecoder, "jwtProcessor");
 					Object keySelector = ReflectionTestUtils.getField(processor, "jwsKeySelector");
-					assertThat(keySelector).hasFieldOrPropertyWithValue("jwsAlg", JWSAlgorithm.RS384);
+					assertThat(keySelector).hasFieldOrPropertyWithValue("jwsAlgs",
+							Collections.singleton(JWSAlgorithm.RS384));
 					assertThat(getBearerTokenFilter(context)).isNotNull();
 				});
 	}

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java

@@ -80,16 +80,18 @@ void relyingPartyRegistrationRepositoryBeanShouldBeCreatedWhenPropertiesPresent(
 		this.contextRunner.withPropertyValues(getPropertyValues()).run((context) -> {
 			RelyingPartyRegistrationRepository repository = context.getBean(RelyingPartyRegistrationRepository.class);
 			RelyingPartyRegistration registration = repository.findByRegistrationId("foo");
-			assertThat(registration.getProviderDetails().getWebSsoUrl())
+
+			assertThat(registration.getAssertingPartyDetails().getSingleSignOnServiceLocation())
 					.isEqualTo("https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/SSOService.php");
-			assertThat(registration.getProviderDetails().getEntityId())
+			assertThat(registration.getAssertingPartyDetails().getEntityId())
 					.isEqualTo("https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php");
-			assertThat(registration.getAssertionConsumerServiceUrlTemplate())
+			assertThat(registration.getAssertionConsumerServiceLocation())
 					.isEqualTo("{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI);
-			assertThat(registration.getProviderDetails().getBinding()).isEqualTo(Saml2MessageBinding.POST);
-			assertThat(registration.getProviderDetails().isSignAuthNRequest()).isEqualTo(false);
-			assertThat(registration.getSigningCredentials()).isNotNull();
-			assertThat(registration.getVerificationCredentials()).isNotNull();
+			assertThat(registration.getAssertingPartyDetails().getSingleSignOnServiceBinding())
+					.isEqualTo(Saml2MessageBinding.POST);
+			assertThat(registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()).isEqualTo(false);
+			assertThat(registration.getSigningX509Credentials()).isNotNull();
+			assertThat(registration.getAssertingPartyDetails().getVerificationX509Credentials()).isNotNull();
 		});
 	}
 

spring-boot-project/spring-boot-dependencies/build.gradle

@@ -1616,7 +1616,7 @@ bom {
 			]
 		}
 	}
-	library("Spring Security", "5.4.0-M1") {
+	library("Spring Security", "5.4.0-SNAPSHOT") {
 		group("org.springframework.security") {
 			imports = [
 				"spring-security-bom"