Skip to content

Commit

Permalink
Use RSA256 algorithm for SAML2 authN statement singing
Browse files Browse the repository at this point in the history 
Before, defaulted to insecure SHA1 algorithm. SHA1 support was dropped by Keycloak v22.
  • Loading branch information
@pvannierop @inodb
pvannierop authored and inodb committed Oct 3, 2023
1 parent 49c95f0 commit 4ed5af1
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 1 deletion.
18 changes: 18 additions & 0 deletions ...src/main/java/org/cbioportal/security/spring/authentication/saml/SAMLBootstrapRSA256.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
package org.cbioportal.security.spring.authentication.saml;

import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.signature.SignatureConstants;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.security.saml.SAMLBootstrap;

public class SAMLBootstrapRSA256 extends SAMLBootstrap {
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
super.postProcessBeanFactory(beanFactory);
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
}
}
3 changes: 2 additions & 1 deletion security/security-spring/src/main/resources/applicationContext-security.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,6 +349,7 @@
<b:bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<b:property name="idpDiscoveryEnabled" value="true"/>
<b:property name="signMetadata" value="false"/>
<b:property name="signingAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
</b:bean>
</b:property>
</b:bean>
Expand Down Expand Up @@ -498,7 +499,7 @@
</b:bean>

<!-- Initialization of OpenSAML library-->
<b:bean class="org.springframework.security.saml.SAMLBootstrap"/>
<b:bean class="org.cbioportal.security.spring.authentication.saml.SAMLBootstrapRSA256"/>

<!-- Initialization of the velocity engine -->
<b:bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>
Expand Down

0 comments on commit 4ed5af1

Please sign in to comment.