I created a SOAP service which has to be secured by a SAML Assertion in the SOAP header. For this I am using Spring-WS and WSS4J. To validate the SAML Assertion I have created a Wss4jSecurityInterceptor like the following:
@Bean
public Wss4jSecurityInterceptor requestInterceptor() {
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
securityInterceptor.setValidationActions("SAMLTokenSigned");
try {
securityInterceptor.setValidationSignatureCrypto(crypto().getObject());
} catch (Exception e) {
throw new RuntimeException(e);
}
return securityInterceptor;
}
That part is working and I need to pass the WSS-Security Header to my SOAP request. But now I have to get the Role, User Principal Name and so on out of the Assertion.
I try to get a SecurityContext inside my called Endpoint like this:
@PayloadRoot(namespace = NAMESPACE_URI, localPart = "getFirstTry")
public @ResponsePayload GetFirstTryResponse getFirstTry(
@RequestPayload GetFirstTryRequest request
) {
SecurityContext securityContext = SecurityContextHolder.getContext();
The authentication in that securityContext is NULL. So I try to setup Spring Security for that. I have created a filterChain but it seems that the SOAP Request is redirected to my asserting party IDP before the SOAP Header is parsed and the User is authenticated.
That is my FilterChain Configuration:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver = new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter((Converter<HttpServletRequest, RelyingPartyRegistration>) relyingPartyRegistrationResolver, new OpenSamlMetadataResolver());
http.csrf().disable()
.authorizeHttpRequests(auth -> auth.anyRequest()
.authenticated())
.saml2Login(Customizer.withDefaults())
.formLogin(Customizer.withDefaults())
.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);
;
return http.build();
}