XML namespace with saml2-login configuration fails using Java 8 and spring-security 5.8

[MichaelVetter]

Describe the bug
XML namespace with saml2-login configuration fails using Java 8 and spring-security 5.8.1:

"java.lang.UnsupportedClassVersionError: org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0"

With Spring Security 5.7.x it worked because the OpenSaml4* classes were compiled to Java 8 bytecode.

The problem is in these classes:
org.springframework.security.config.http.Saml2LoginBeanDefinitionParserUtils
org.springframework.security.config.http.Saml2LogoutBeanDefinitionParserUtils

They do not check the OpenSaml version like other spring-security classes that use OpenSaml4* classes, e.g.

static BeanDefinition createAuthenticationProvider() {
	return BeanDefinitionBuilder.rootBeanDefinition(
			"org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider")
			.getBeanDefinition();
}

To Reproduce
Use XML namespace with saml2-login configuration, Java 8 and spring-security 5.8.x.

Expected behavior
XML Namespace with saml2-login configuration should work using Java 8, OpenSaml 3 and spring-security 5.8

[jzheaux]

Thanks, @MichaelVetter, we'll take a look at making this change in the next point release.

[MichaelVetter]

Compilation to Java 8 bytecode would be the preferred solution because under certain conditions Websphere complains about classes with newer bytecode.