Skip to content

Remove GET request support from Saml2AuthenticationTokenConverter #17099

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 tasks
jzheaux opened this issue May 13, 2025 · 0 comments
Open
2 tasks

Remove GET request support from Saml2AuthenticationTokenConverter #17099

jzheaux opened this issue May 13, 2025 · 0 comments
Labels
in: saml2 An issue in SAML2 modules status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement

Comments

@jzheaux
Copy link
Contributor

jzheaux commented May 13, 2025

Saml2AuthenticationTokenConverter tests if the HTTP method is GET in order to correctly translate SAMLResponse parameter.

However, neither the SAML spec nor Spring Security support processing the <saml2:Response> in a GET request. As such, we should remove this to alleviate confusion.

To keep upgrade passive, the first step is to add a property that defaults to true:

public void setShouldInflateResponse(boolean shouldInflate);

In Spring Security 8, this can be deprecated and switched to false, then in Spring Security 9 it can be removed.

  • Add setShouldInflateResponse
  • Deprecate setShouldInflateResponse
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: saml2 An issue in SAML2 modules status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jzheaux