diff --git a/src/main/java/net/gepafin/tendermanagement/config/SecurityConfig.java b/src/main/java/net/gepafin/tendermanagement/config/SecurityConfig.java index d9285b8d..ac2ade2c 100644 --- a/src/main/java/net/gepafin/tendermanagement/config/SecurityConfig.java +++ b/src/main/java/net/gepafin/tendermanagement/config/SecurityConfig.java @@ -8,11 +8,14 @@ import java.security.PrivateKey; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.security.spec.PKCS8EncodedKeySpec; +import java.util.UUID; import org.bouncycastle.util.io.pem.PemReader; +import org.opensaml.saml.common.SAMLVersion; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.core.AuthnContextClassRef; import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml.saml2.core.AuthnRequest; import org.opensaml.saml.saml2.core.RequestedAuthnContext; import org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder; import org.opensaml.saml.saml2.core.impl.RequestedAuthnContextBuilder; @@ -256,41 +259,45 @@ public class SecurityConfig { return new InMemoryRelyingPartyRegistrationRepository(registration); } - @Bean - public Saml2AuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistrationRepository registrations) { - RelyingPartyRegistrationResolver registrationResolver = new DefaultRelyingPartyRegistrationResolver(registrations); - OpenSaml4AuthenticationRequestResolver authenticationRequestResolver = new OpenSaml4AuthenticationRequestResolver(registrationResolver); - // Customize and log the AuthnRequest after setting the context - authenticationRequestResolver.setAuthnRequestCustomizer((context) -> { - context.getAuthnRequest().setRequestedAuthnContext(buildRequestedAuthnContext()); - - // Log the SAML AuthnRequest after setting the authentication context - String samlRequest = SamlRequestLogger.convertSAMLObjectToString(context.getAuthnRequest()); - logger.info("SAML AuthnRequest after setting context: " + samlRequest); - }); +@Bean +public Saml2AuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistrationRepository registrations) { + RelyingPartyRegistrationResolver registrationResolver = new DefaultRelyingPartyRegistrationResolver(registrations); + OpenSaml4AuthenticationRequestResolver authenticationRequestResolver = new OpenSaml4AuthenticationRequestResolver(registrationResolver); - return authenticationRequestResolver; - } + authenticationRequestResolver.setAuthnRequestCustomizer((context) -> { + // Set the required attributes + AuthnRequest authnRequest = context.getAuthnRequest(); + authnRequest.setID("_" + UUID.randomUUID().toString()); // Add a unique ID + authnRequest.setVersion(SAMLVersion.VERSION_20); // Ensure version is 2.0 + authnRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI); // HTTP-POST + // Set Authentication Context + authnRequest.setRequestedAuthnContext(buildRequestedAuthnContext()); - private RequestedAuthnContext buildRequestedAuthnContext() { - AuthnContextClassRefBuilder authnContextClassRefBuilder = new AuthnContextClassRefBuilder(); - AuthnContextClassRef authnContextClassRef = authnContextClassRefBuilder.buildObject( - SAMLConstants.SAML20_NS, AuthnContextClassRef.DEFAULT_ELEMENT_LOCAL_NAME, SAMLConstants.SAML20_PREFIX - ); - - // Set the SPID Level 2 authentication context - authnContextClassRef.setURI("urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword"); + // Log the SAML AuthnRequest after setting context + String samlRequest = SamlRequestLogger.convertSAMLObjectToString(authnRequest); + logger.info("SAML AuthnRequest after setting context: " + samlRequest); + }); - RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder(); - RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject(); - requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT); - requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef); + return authenticationRequestResolver; +} - return requestedAuthnContext; - } - +private RequestedAuthnContext buildRequestedAuthnContext() { + AuthnContextClassRefBuilder authnContextClassRefBuilder = new AuthnContextClassRefBuilder(); + AuthnContextClassRef authnContextClassRef = authnContextClassRefBuilder.buildObject( + SAMLConstants.SAML20_NS, AuthnContextClassRef.DEFAULT_ELEMENT_LOCAL_NAME, SAMLConstants.SAML20_PREFIX + ); + // Set the SPID Level 2 authentication context + authnContextClassRef.setURI("urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword"); + + RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder(); + RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject(); + requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT); + requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef); + + return requestedAuthnContext; +} public PrivateKey readPrivateKey() throws Exception { // Path to your private key PEM file