Merge branch 'master' into show-error-in-jsp

.github/workflows/maven.yml

@@ -3,7 +3,7 @@
 
 name: java-saml CI with Maven
 
-on: [push, pull_request]
+on: [push, pull_request, workflow_dispatch]
 
 jobs:
   test:

core/pom.xml

@@ -3,11 +3,11 @@
 	<parent>
 		<groupId>com.onelogin</groupId>
 		<artifactId>java-saml-toolkit</artifactId>
-		<version>2.7.1-SNAPSHOT</version>
+		<version>2.9.1-SNAPSHOT</version>
 	</parent>
 
 	<packaging>jar</packaging>
-	<name>OneLogin java-saml Toolkit Core</name>
+	<name>java-saml Toolkit Core</name>
 	<artifactId>java-saml-core</artifactId>
 
 	<dependencies>
@@ -44,13 +44,6 @@
 			<optional>true</optional>
 		</dependency>
 
-		<!-- date and time library for Java -->
-		<dependency>
-			<groupId>joda-time</groupId>
-			<artifactId>joda-time</artifactId>
-			<version>2.10.6</version>
-		</dependency>
-
 		<!-- commons -->
 		<dependency>
 			<groupId>org.apache.commons</groupId>
@@ -60,7 +53,7 @@
 		<dependency>
 			<groupId>org.apache.santuario</groupId>
 			<artifactId>xmlsec</artifactId>
-			<version>2.2.2</version>
+			<version>2.3.0</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-codec</groupId>
@@ -72,13 +65,19 @@
 		<dependency>
 			<groupId>com.azure</groupId>
 			<artifactId>azure-security-keyvault-keys</artifactId>
-			<version>4.3.0</version>
+			<version>4.3.4</version>
+			<optional>true</optional>
+		</dependency>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-databind</artifactId>
+			<version>2.13.4.2</version>
 			<optional>true</optional>
 		</dependency>
 		<dependency>
 			<groupId>com.azure</groupId>
 			<artifactId>azure-identity</artifactId>
-			<version>1.3.3</version>
+			<version>1.3.7</version>
 			<optional>true</optional>
 		</dependency>
 	</dependencies>
@@ -88,7 +87,7 @@
 			<plugin>
 				<groupId>org.jacoco</groupId>
 				<artifactId>jacoco-maven-plugin</artifactId>
-				<version>0.8.6</version>
+				<version>0.8.7</version>
 				<configuration>
 					<propertyName>jacoco.agent.argLine</propertyName>
 				</configuration>
@@ -118,7 +117,7 @@
 				<artifactId>maven-surefire-plugin</artifactId>
 				<version>2.22.2</version>
 				<configuration>
-                                        <encoding>${project.build.sourceEncoding}</encoding>
+                    <encoding>${project.build.sourceEncoding}</encoding>
 					<inputEncoding>${project.build.sourceEncoding}</inputEncoding>
 					<outputEncoding>${project.build.sourceEncoding}</outputEncoding>
 					<argLine>${jacoco.agent.argLine} -Dfile.encoding=${project.build.sourceEncoding} -Dline.separator=\n</argLine>

core/src/main/java/com/onelogin/saml2/authn/AuthnRequest.java

@@ -17,7 +17,7 @@
 import com.onelogin.saml2.util.Util;
 
 /**
- * AuthNRequest class of OneLogin's Java Toolkit.
+ * AuthNRequest class of Java Toolkit.
  *
  * A class that implements SAML 2 Authentication Request
  */
@@ -79,7 +79,7 @@ public AuthnRequest(Saml2Settings settings) {
 	public AuthnRequest(Saml2Settings settings, boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq) {
 		this(settings, new AuthnRequestParams(forceAuthn, isPassive, setNameIdPolicy, nameIdValueReq));
 	}
-	
+
 	/**
 	 * Constructs the AuthnRequest object.
 	 *
@@ -126,7 +126,7 @@ public AuthnRequest(Saml2Settings settings, AuthnRequestParams params) {
 	 * This method is invoked at construction time, after all the other fields of
 	 * this class have already been initialised. Its default implementation simply
 	 * returns the input XML as-is, with no change.
-	 * 
+	 *
 	 * @param authnRequestXml
 	 *              the XML produced for this AuthnRequest by the standard
 	 *              implementation provided by {@link AuthnRequest}
@@ -144,10 +144,10 @@ protected String postProcessXml(final String authnRequestXml, final AuthnRequest
 	/**
 	 * @return the base64 encoded unsigned AuthnRequest (deflated or not)
 	 *
-	 * @param deflated 
+	 * @param deflated
      *				If deflated or not the encoded AuthnRequest
      *
-	 * @throws IOException 
+	 * @throws IOException
 	 */
 	public String getEncodedAuthnRequest(Boolean deflated) throws IOException {
 		String encodedAuthnRequest;
@@ -161,18 +161,18 @@ public String getEncodedAuthnRequest(Boolean deflated) throws IOException {
 		}
 		return encodedAuthnRequest;
 	}
-	
+
 	/**
 	 * @return base64 encoded, unsigned AuthnRequest (deflated or not)
-	 * 
-	 * @throws IOException 
+	 *
+	 * @throws IOException
 	 */
 	public String getEncodedAuthnRequest() throws IOException {
 		return getEncodedAuthnRequest(null);
 	}
 
 	/**
-	 * @return unsigned plain-text AuthnRequest. 
+	 * @return unsigned plain-text AuthnRequest.
 	 */
 	public String getAuthnRequestXml() {
 		return authnRequestString;
@@ -185,9 +185,9 @@ public String getAuthnRequestXml() {
 	 *              the authentication request input parameters
 	 * @param settings
 	 * 				Saml2Settings object. Setting data
-	 * 
-	 * @return the StrSubstitutor object of the AuthnRequest 
-	 */ 
+	 *
+	 * @return the StrSubstitutor object of the AuthnRequest
+	 */
 	private StrSubstitutor generateSubstitutor(AuthnRequestParams params, Saml2Settings settings) {
 
 		Map<String, String> valueMap = new HashMap<String, String>();
@@ -229,7 +229,11 @@ private StrSubstitutor generateSubstitutor(AuthnRequestParams params, Saml2Setti
 			if (settings.getWantNameIdEncrypted()) {
 				nameIDPolicyFormat = Constants.NAMEID_ENCRYPTED;
 			}
-			nameIDPolicyStr = "<samlp:NameIDPolicy Format=\"" + Util.toXml(nameIDPolicyFormat) + "\" AllowCreate=\"true\" />";
+			String allowCreateStr = "";
+			if (params.isAllowCreate()) {
+				allowCreateStr = " AllowCreate=\"true\"";
+			}
+			nameIDPolicyStr = "<samlp:NameIDPolicy Format=\"" + Util.toXml(nameIDPolicyFormat) + "\"" + allowCreateStr + " />";
 		}
 		valueMap.put("nameIDPolicyStr", nameIDPolicyStr);
 
@@ -238,7 +242,7 @@ private StrSubstitutor generateSubstitutor(AuthnRequestParams params, Saml2Setti
 		if (organization != null) {
 			String displayName = organization.getOrgDisplayName();
 			if (!displayName.isEmpty()) {
-				providerStr = " ProviderName=\""+ Util.toXml(displayName) + "\""; 
+				providerStr = " ProviderName=\""+ Util.toXml(displayName) + "\"";
 			}
 		}
 		valueMap.put("providerStr", providerStr);
@@ -284,10 +288,10 @@ public String getId()
 	{
 		return id;
 	}
-	
+
 	/**
 	 * Returns the issue instant of this message.
-	 * 
+	 *
 	 * @return a new {@link Calendar} instance carrying the issue instant of this message
 	 */
 	public Calendar getIssueInstant() {

core/src/main/java/com/onelogin/saml2/authn/AuthnRequestParams.java

@@ -14,9 +14,14 @@ public class AuthnRequestParams {
 	 */
 	private final boolean isPassive;
 	/**
-	 * When true the AuthNReuqest will set a nameIdPolicy
+	 * When true the AuthNRequest will set a nameIdPolicy
 	 */
 	private final boolean setNameIdPolicy;
+	/**
+	 * When true and {@link #setNameIdPolicy} is also <code>true</code>, then the
+	 * AllowCreate='true' will be set on the NameIDPolicy element
+	 */
+	private final boolean allowCreate;
 	/**
 	 * Indicates to the IdP the subject that should be authenticated
 	 */
@@ -29,13 +34,34 @@ public class AuthnRequestParams {
 	 *              whether the <code>ForceAuthn</code> attribute should be set to
 	 *              <code>true</code>
 	 * @param isPassive
-	 *              whether the <code>isPassive</code> attribute should be set to
+	 *              whether the <code>IsPassive</code> attribute should be set to
 	 *              <code>true</code>
 	 * @param setNameIdPolicy
 	 *              whether a <code>NameIDPolicy</code> should be set
 	 */
 	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy) {
-		this(forceAuthn, isPassive, setNameIdPolicy, null);
+		this(forceAuthn, isPassive, setNameIdPolicy, true);
+	}
+
+	/**
+	 * Create a set of authentication request input parameters.
+	 *
+	 * @param forceAuthn
+	 *              whether the <code>ForceAuthn</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param isPassive
+	 *              whether the <code>IsPassive</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param setNameIdPolicy
+	 *              whether a <code>NameIDPolicy</code> should be set
+	 * @param allowCreate
+	 *              whether the <code>AllowCreate</code> attribute should be set to
+	 *              <code>true</code> on the <code>NameIDPolicy</code> element; only
+	 *              meaningful if <code>setNameIdPolicy</code> is also
+	 *              <code>true</code>
+	 */
+	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, boolean allowCreate) {
+		this(forceAuthn, isPassive, setNameIdPolicy, allowCreate, null);
 	}
 
 	/**
@@ -45,17 +71,42 @@ public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setName
 	 *              whether the <code>ForceAuthn</code> attribute should be set to
 	 *              <code>true</code>
 	 * @param isPassive
-	 *              whether the <code>isPassive</code> attribute should be set to
+	 *              whether the <code>IsPassive</code> attribute should be set to
 	 *              <code>true</code>
 	 * @param setNameIdPolicy
 	 *              whether a <code>NameIDPolicy</code> should be set
 	 * @param nameIdValueReq
 	 *              the subject that should be authenticated
 	 */
 	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq) {
+		this(forceAuthn, isPassive, setNameIdPolicy, true, nameIdValueReq);
+	}
+
+	/**
+	 * Create a set of authentication request input parameters.
+	 *
+	 * @param forceAuthn
+	 *              whether the <code>ForceAuthn</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param isPassive
+	 *              whether the <code>IsPassive</code> attribute should be set to
+	 *              <code>true</code>
+	 * @param setNameIdPolicy
+	 *              whether a <code>NameIDPolicy</code> should be set
+	 * @param allowCreate
+	 *              the value to set for the <code>allowCreate</code> attribute of
+	 *              <code>NameIDPolicy</code> element; <code>null</code> means it's
+	 *              not set at all; only meaningful when
+	 *              <code>setNameIdPolicy</code> is <code>true</code>
+	 * @param nameIdValueReq
+	 *              the subject that should be authenticated
+	 */
+	public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, boolean allowCreate,
+	            String nameIdValueReq) {
 		this.forceAuthn = forceAuthn;
 		this.isPassive = isPassive;
 		this.setNameIdPolicy = setNameIdPolicy;
+		this.allowCreate = allowCreate;
 		this.nameIdValueReq = nameIdValueReq;
 	}
 
@@ -70,36 +121,46 @@ protected AuthnRequestParams(AuthnRequestParams source) {
 		this.forceAuthn = source.isForceAuthn();
 		this.isPassive = source.isPassive();
 		this.setNameIdPolicy = source.isSetNameIdPolicy();
+		this.allowCreate = source.isAllowCreate();
 		this.nameIdValueReq = source.getNameIdValueReq();
 	}
 
 	/**
 	 * @return whether the <code>ForceAuthn</code> attribute should be set to
 	 *         <code>true</code>
 	 */
-	protected boolean isForceAuthn() {
+	public boolean isForceAuthn() {
 		return forceAuthn;
 	}
 
 	/**
-	 * @return whether the <code>isPassive</code> attribute should be set to
+	 * @return whether the <code>IsPassive</code> attribute should be set to
 	 *         <code>true</code>
 	 */
-	protected boolean isPassive() {
+	public boolean isPassive() {
 		return isPassive;
 	}
 
 	/**
 	 * @return whether a <code>NameIDPolicy</code> should be set
 	 */
-	protected boolean isSetNameIdPolicy() {
+	public boolean isSetNameIdPolicy() {
 		return setNameIdPolicy;
 	}
 
+	/**
+	 * @return whether the <code>AllowCreate</code> attribute should be set to
+	 *         <code>true</code> on the <code>NameIDPolicy</code> element (only
+	 *         meaningful if {@link #isSetNameIdPolicy()} is also <code>true</code>)
+	 */
+	public boolean isAllowCreate() {
+		return allowCreate;
+	}
+
 	/**
 	 * @return the subject that should be authenticated
 	 */
-	protected String getNameIdValueReq() {
+	public String getNameIdValueReq() {
 		return nameIdValueReq;
 	}
 }