This is an automated email from the ASF dual-hosted git repository. pvillard pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push: new 8ebecdc3ab NIFI-11554 Upgraded OpenSAML from 3.4.6 to 4.3.0 8ebecdc3ab is described below commit 8ebecdc3abf8a42fe08c6d4fca0d6abe5ad83808 Author: exceptionfactory <exceptionfact...@apache.org> AuthorDate: Mon May 15 21:40:56 2023 -0500 NIFI-11554 Upgraded OpenSAML from 3.4.6 to 4.3.0 - Added Shibboleth repository for OpenSAML - Replaced deprecated OpenSAML 3 Spring Security components with OpenSAML 4 Signed-off-by: Pierre Villard <pierre.villard...@gmail.com> This closes #7251. --- .../SamlAuthenticationSecurityConfiguration.java | 40 ++++++++++------------ .../StandardSaml2CredentialProvider.java | 2 +- .../ResponseAuthenticationConverter.java | 7 ++-- nifi-nar-bundles/nifi-framework-bundle/pom.xml | 30 ++++++++++++++++ 4 files changed, 52 insertions(+), 27 deletions(-) diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java index 097e6a68ab..8cc90d370c 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java @@ -45,7 +45,7 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest; -import org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider; +import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider; import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutRequestValidator; import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutResponseValidator; import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator; @@ -55,16 +55,16 @@ import org.springframework.security.saml2.provider.service.metadata.Saml2Metadat import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository; -import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter; -import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter; +import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter; +import org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter; import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver; import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestRepository; import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter; import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter; -import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml3AuthenticationRequestResolver; +import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver; import org.springframework.security.saml2.provider.service.web.authentication.Saml2AuthenticationRequestResolver; -import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml3LogoutRequestResolver; -import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml3LogoutResponseResolver; +import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutRequestResolver; +import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSaml4LogoutResponseResolver; import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestFilter; import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestRepository; import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver; @@ -218,26 +218,24 @@ public class SamlAuthenticationSecurityConfiguration { /** * Spring Security OpenSAML Authentication Provider for processing SAML 2 login responses * - * @return OpenSAML 3 Authentication Provider required for compatibility with Java 8 + * @return OpenSAML 4 Authentication Provider compatible with Java 11 */ - @SuppressWarnings("deprecation") @Bean - public OpenSamlAuthenticationProvider openSamlAuthenticationProvider() { - final OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider(); + public OpenSaml4AuthenticationProvider openSamlAuthenticationProvider() { + final OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider(); final ResponseAuthenticationConverter responseAuthenticationConverter = new ResponseAuthenticationConverter(properties.getSamlGroupAttributeName()); provider.setResponseAuthenticationConverter(responseAuthenticationConverter); return provider; } /** - * Spring Security SAML 2 Authentication Request Resolver uses OpenSAML 3 for compatibility with Java 8 + * Spring Security SAML 2 Authentication Request Resolver uses OpenSAML 4 * - * @return OpenSAML 3 version of SAML 2 Authentication Request Resolver + * @return OpenSAML 4 version of SAML 2 Authentication Request Resolver */ - @SuppressWarnings("deprecation") @Bean public Saml2AuthenticationRequestResolver saml2AuthenticationRequestResolver() { - return new OpenSaml3AuthenticationRequestResolver(relyingPartyRegistrationResolver()); + return new OpenSaml4AuthenticationRequestResolver(relyingPartyRegistrationResolver()); } /** @@ -261,25 +259,23 @@ public class SamlAuthenticationSecurityConfiguration { } /** - * Spring Security SAML 2 Logout Request Resolver uses OpenSAML 3 for compatibility with Java 8 + * Spring Security SAML 2 Logout Request Resolver uses OpenSAML 4 * - * @return OpenSAML 3 version of SAML 2 Logout Request Resolver + * @return OpenSAML 4 version of SAML 2 Logout Request Resolver */ - @SuppressWarnings("deprecation") @Bean public Saml2LogoutRequestResolver saml2LogoutRequestResolver() { - return new OpenSaml3LogoutRequestResolver(relyingPartyRegistrationResolver()); + return new OpenSaml4LogoutRequestResolver(relyingPartyRegistrationResolver()); } /** - * Spring Security SAML 2 Logout Response Resolver uses OpenSAML 3 for compatibility with Java 8 + * Spring Security SAML 2 Logout Response Resolver uses OpenSAML 4 * - * @return OpenSAML 3 version of SAML 2 Logout Response Resolver + * @return OpenSAML 4 version of SAML 2 Logout Response Resolver */ - @SuppressWarnings("deprecation") @Bean public Saml2LogoutResponseResolver saml2LogoutResponseResolver() { - return new OpenSaml3LogoutResponseResolver(relyingPartyRegistrationResolver()); + return new OpenSaml4LogoutResponseResolver(relyingPartyRegistrationResolver()); } /** diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/registration/StandardSaml2CredentialProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/registration/StandardSaml2CredentialProvider.java index 64b7179ca8..c39a5899db 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/registration/StandardSaml2CredentialProvider.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/registration/StandardSaml2CredentialProvider.java @@ -70,7 +70,7 @@ public class StandardSaml2CredentialProvider implements Saml2CredentialProvider try { return keyStore.getKey(alias, keyPassword); } catch (final GeneralSecurityException e) { - throw new Saml2Exception(String.format("Loading Key [%s] failed", alias)); + throw new Saml2Exception(String.format("Loading Key [%s] failed", alias), e); } } diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/service/authentication/ResponseAuthenticationConverter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/service/authentication/ResponseAuthenticationConverter.java index f2a8e8e95a..f3a38d8ac7 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/service/authentication/ResponseAuthenticationConverter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/saml2/service/authentication/ResponseAuthenticationConverter.java @@ -24,8 +24,8 @@ import org.opensaml.saml.saml2.core.Assertion; import org.springframework.core.convert.converter.Converter; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; -import org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider; -import org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken; +import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider; +import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken; import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal; import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication; @@ -39,8 +39,7 @@ import java.util.stream.Collectors; * Converter from SAML 2 Response Token to SAML 2 Authentication for Spring Security */ public class ResponseAuthenticationConverter implements Converter<ResponseToken, Saml2Authentication> { - @SuppressWarnings("deprecation") - private static final Converter<ResponseToken, Saml2Authentication> defaultConverter = OpenSamlAuthenticationProvider.createDefaultResponseAuthenticationConverter(); + private static final Converter<ResponseToken, Saml2Authentication> defaultConverter = OpenSaml4AuthenticationProvider.createDefaultResponseAuthenticationConverter(); private final String groupAttributeName; diff --git a/nifi-nar-bundles/nifi-framework-bundle/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/pom.xml index 02231958af..e0114b5d11 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/pom.xml @@ -25,6 +25,7 @@ <properties> <curator.version>5.5.0</curator.version> <tika.version>2.8.0</tika.version> + <org.opensaml.version>4.3.0</org.opensaml.version> </properties> <modules> <module>nifi-framework</module> @@ -33,6 +34,19 @@ <module>nifi-headless-server-nar</module> <module>nifi-framework-external-resource-utils</module> </modules> + <repositories> + <!-- Shibboleth Repository required for OpenSAML --> + <repository> + <id>shibboleth</id> + <url>https://build.shibboleth.net/nexus/content/repositories/releases/</url> + <releases> + <enabled>true</enabled> + </releases> + <snapshots> + <enabled>false</enabled> + </snapshots> + </repository> + </repositories> <dependencyManagement> <dependencies> <dependency> @@ -425,6 +439,22 @@ <artifactId>spring-security-kerberos-core</artifactId> <version>1.0.1.RELEASE</version> </dependency> + <!-- Override OpenSAML to version 4 for Spring Security SAML --> + <dependency> + <groupId>org.opensaml</groupId> + <artifactId>opensaml-core</artifactId> + <version>${org.opensaml.version}</version> + </dependency> + <dependency> + <groupId>org.opensaml</groupId> + <artifactId>opensaml-saml-api</artifactId> + <version>${org.opensaml.version}</version> + </dependency> + <dependency> + <groupId>org.opensaml</groupId> + <artifactId>opensaml-saml-impl</artifactId> + <version>${org.opensaml.version}</version> + </dependency> <!-- Override xmlsec from spring-security-saml2-service-provider --> <dependency> <groupId>org.apache.santuario</groupId>