Add ResponseValidator

Issue gh-14264
Closes gh-16915
This commit is contained in:
Josh Cummings
2025-04-09 14:24:00 -06:00
parent 47e1fc045f
commit 3e686abf50
4 changed files with 179 additions and 7 deletions

View File

@@ -359,6 +359,30 @@ provider.setResponseValidator((responseToken) -> {
});
----
When using `OpenSaml5AuthenticationProvider`, you can do the same with less boilerplate:
[source,java]
----
OpenSaml5AuthenticationProvider provider = new OpenSaml5AuthenticationProvider();
ResponseValidator responseValidator = ResponseValidator.withDefaults(myCustomValidator);
provider.setResponseValidator(responseValidator);
----
You can also customize which validation steps Spring Security should do.
For example, if you want to skip `Response#InResponseTo` validation, you can call ``ResponseValidator``'s constructor, excluding `InResponseToValidator` from the list:
[source,java]
----
OpenSaml5AuthenticationProvider provider = new OpenSaml5AuthenticationProvider();
ResponseValidator responseValidator = new ResponseValidator(new DestinationValidator(), new IssuerValidator());
provider.setResponseValidator(responseValidator);
----
[TIP]
====
OpenSAML performs `Asssertion#InResponseTo` validation in its `BearerSubjectConfirmationValidator` class, which is configurable using <<_performing_additional_assertion_validation, setAssertionValidator>>.
====
== Performing Additional Assertion Validation
`OpenSaml4AuthenticationProvider` performs minimal validation on SAML 2.0 Assertions.
After verifying the signature, it will: