Use Reflection to instantiate OpenSAML4 classes

marcusdacoregio · marcusdacoregio · commit 23903b5f18b3 · 2022-06-02T19:24:42.000+02:00
Because the OpenSAML4 classes are compiled using Java 11, we have to rely on reflection to instante those classes since the config module should be compatible with Java 8 Issue gh-10816
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java
@@ -32,8 +32,6 @@
 import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
-import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
-import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationRequestFactory;
 import org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider;
 import org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationRequestFactory;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory;
@@ -55,6 +53,7 @@
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
+import org.springframework.util.ClassUtils;
 import org.springframework.util.StringUtils;
 
 /**
@@ -112,6 +111,8 @@
 public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		extends AbstractAuthenticationFilterConfigurer<B, Saml2LoginConfigurer<B>, Saml2WebSsoAuthenticationFilter> {
 
+	private static final String OPEN_SAML_4_VERSION = "4";
+
 	private String loginPage;
 
 	private String authenticationRequestUri = "/saml2/authenticate/{registrationId}";
@@ -320,11 +321,9 @@ private Saml2AuthenticationRequestFactory getAuthenticationRequestFactory(B http
 			return resolver;
 		}
 		if (version().startsWith("4")) {
-			return new OpenSaml4AuthenticationRequestFactory();
-		}
-		else {
-			return new OpenSamlAuthenticationRequestFactory();
+			return OpenSaml4LoginSupportFactory.getAuthenticationRequestFactory();
 		}
+		return new OpenSamlAuthenticationRequestFactory();
 	}
 
 	private Saml2AuthenticationRequestContextResolver getAuthenticationRequestContextResolver(B http) {
@@ -354,18 +353,9 @@ private AuthenticationConverter getAuthenticationConverter(B http) {
 		return authenticationConverterBean;
 	}
 
-	private String version() {
-		String version = Version.getVersion();
-		if (version != null) {
-			return version;
-		}
-		return Version.class.getModule().getDescriptor().version().map(Object::toString)
-				.orElseThrow(() -> new IllegalStateException("cannot determine OpenSAML version"));
-	}
-
 	private void registerDefaultAuthenticationProvider(B http) {
 		if (version().startsWith("4")) {
-			http.authenticationProvider(postProcess(new OpenSaml4AuthenticationProvider()));
+			http.authenticationProvider(postProcess(OpenSaml4LoginSupportFactory.getAuthenticationProvider()));
 		}
 		else {
 			http.authenticationProvider(postProcess(new OpenSamlAuthenticationProvider()));
@@ -415,6 +405,19 @@ private Saml2AuthenticationRequestRepository<AbstractSaml2AuthenticationRequest>
 		return repository;
 	}
 
+	private String version() {
+		String version = Version.getVersion();
+		if (StringUtils.hasText(version)) {
+			return version;
+		}
+		boolean openSaml4ClassPresent = ClassUtils
+				.isPresent("org.opensaml.core.xml.persist.impl.PassthroughSourceStrategy", null);
+		if (openSaml4ClassPresent) {
+			return OPEN_SAML_4_VERSION;
+		}
+		throw new IllegalStateException("cannot determine OpenSAML version");
+	}
+
 	private <C> C getSharedOrBean(B http, Class<C> clazz) {
 		C shared = http.getSharedObject(clazz);
 		if (shared != null) {
@@ -442,4 +445,33 @@ private <C> void setSharedObject(B http, Class<C> clazz, C object) {
 		}
 	}
 
+	private static class OpenSaml4LoginSupportFactory {
+
+		private static Saml2AuthenticationRequestFactory getAuthenticationRequestFactory() {
+			try {
+				Class<?> authenticationRequestFactory = ClassUtils.forName(
+						"org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationRequestFactory",
+						OpenSaml4LoginSupportFactory.class.getClassLoader());
+				return (Saml2AuthenticationRequestFactory) authenticationRequestFactory.getDeclaredConstructor()
+						.newInstance();
+			}
+			catch (ReflectiveOperationException ex) {
+				throw new IllegalStateException("Could not instantiate OpenSaml4AuthenticationRequestFactory", ex);
+			}
+		}
+
+		private static AuthenticationProvider getAuthenticationProvider() {
+			try {
+				Class<?> authenticationProvider = ClassUtils.forName(
+						"org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider",
+						OpenSaml4LoginSupportFactory.class.getClassLoader());
+				return (AuthenticationProvider) authenticationProvider.getDeclaredConstructor().newInstance();
+			}
+			catch (ReflectiveOperationException ex) {
+				throw new IllegalStateException("Could not instantiate OpenSaml4AuthenticationProvider", ex);
+			}
+		}
+
+	}
+
 }
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,8 +47,6 @@
 import org.springframework.security.saml2.provider.service.web.authentication.logout.HttpSessionLogoutRequestRepository;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml3LogoutRequestResolver;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml3LogoutResponseResolver;
-import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutRequestResolver;
-import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutResponseResolver;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestFilter;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestRepository;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver;
@@ -67,6 +65,8 @@
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.ClassUtils;
+import org.springframework.util.StringUtils;
 
 /**
  * Adds SAML 2.0 logout support.
@@ -113,6 +113,8 @@
 public final class Saml2LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 		extends AbstractHttpConfigurer<Saml2LogoutConfigurer<H>, H> {
 
+	private static final String OPEN_SAML_4_VERSION = "4";
+
 	private ApplicationContext context;
 
 	private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
@@ -304,6 +306,19 @@ private Saml2LogoutResponseResolver createSaml2LogoutResponseResolver(
 		return this.logoutResponseConfigurer.logoutResponseResolver(relyingPartyRegistrationResolver);
 	}
 
+	private String version() {
+		String version = Version.getVersion();
+		if (StringUtils.hasText(version)) {
+			return version;
+		}
+		boolean openSaml4ClassPresent = ClassUtils
+				.isPresent("org.opensaml.core.xml.persist.impl.PassthroughSourceStrategy", null);
+		if (openSaml4ClassPresent) {
+			return OPEN_SAML_4_VERSION;
+		}
+		throw new IllegalStateException("cannot determine OpenSAML version");
+	}
+
 	private <C> C getBeanOrNull(Class<C> clazz) {
 		if (this.context == null) {
 			return null;
@@ -314,15 +329,6 @@ private <C> C getBeanOrNull(Class<C> clazz) {
 		return this.context.getBean(clazz);
 	}
 
-	private String version() {
-		String version = Version.getVersion();
-		if (version != null) {
-			return version;
-		}
-		return Version.class.getModule().getDescriptor().version().map(Object::toString)
-				.orElseThrow(() -> new IllegalStateException("cannot determine OpenSAML version"));
-	}
-
 	/**
 	 * A configurer for SAML 2.0 LogoutRequest components
 	 */
@@ -403,7 +409,7 @@ private Saml2LogoutRequestResolver logoutRequestResolver(
 				return this.logoutRequestResolver;
 			}
 			if (version().startsWith("4")) {
-				return new OpenSaml4LogoutRequestResolver(relyingPartyRegistrationResolver);
+				return OpenSaml4LogoutSupportFactory.getLogoutRequestResolver(relyingPartyRegistrationResolver);
 			}
 			return new OpenSaml3LogoutRequestResolver(relyingPartyRegistrationResolver);
 		}
@@ -471,13 +477,13 @@ private Saml2LogoutResponseValidator logoutResponseValidator() {
 
 		private Saml2LogoutResponseResolver logoutResponseResolver(
 				RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
-			if (this.logoutResponseResolver == null) {
-				if (version().startsWith("4")) {
-					return new OpenSaml4LogoutResponseResolver(relyingPartyRegistrationResolver);
-				}
-				return new OpenSaml3LogoutResponseResolver(relyingPartyRegistrationResolver);
+			if (this.logoutResponseResolver != null) {
+				return this.logoutResponseResolver;
 			}
-			return this.logoutResponseResolver;
+			if (version().startsWith("4")) {
+				return OpenSaml4LogoutSupportFactory.getLogoutResponseResolver(relyingPartyRegistrationResolver);
+			}
+			return new OpenSaml3LogoutResponseResolver(relyingPartyRegistrationResolver);
 		}
 
 	}
@@ -520,4 +526,38 @@ public void logout(HttpServletRequest request, HttpServletResponse response, Aut
 
 	}
 
+	private static class OpenSaml4LogoutSupportFactory {
+
+		private static Saml2LogoutResponseResolver getLogoutResponseResolver(
+				RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
+			try {
+				Class<?> logoutResponseResolver = ClassUtils.forName(
+						"org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutResponseResolver",
+						OpenSaml4LogoutSupportFactory.class.getClassLoader());
+				return (Saml2LogoutResponseResolver) logoutResponseResolver
+						.getDeclaredConstructor(RelyingPartyRegistrationResolver.class)
+						.newInstance(relyingPartyRegistrationResolver);
+			}
+			catch (ReflectiveOperationException ex) {
+				throw new IllegalStateException("Could not instantiate OpenSaml4LogoutResponseResolver", ex);
+			}
+		}
+
+		private static Saml2LogoutRequestResolver getLogoutRequestResolver(
+				RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
+			try {
+				Class<?> logoutRequestResolver = ClassUtils.forName(
+						"org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutRequestResolver",
+						OpenSaml4LogoutSupportFactory.class.getClassLoader());
+				return (Saml2LogoutRequestResolver) logoutRequestResolver
+						.getDeclaredConstructor(RelyingPartyRegistrationResolver.class)
+						.newInstance(relyingPartyRegistrationResolver);
+			}
+			catch (ReflectiveOperationException ex) {
+				throw new IllegalStateException("Could not instantiate OpenSaml4LogoutRequestResolver", ex);
+			}
+		}
+
+	}
+
 }
