headers = super.getHeaders(name);
+ while (headers.hasMoreElements()) {
+ String header = headers.nextElement();
+ String[] tokens = header.split(",");
+ for (String token : tokens) {
+ result.add(stripXSS(token));
+ }
+ }
+ return Collections.enumeration(result);
+ }
+
+}
diff --git a/spring-security-modules/spring-5-security/src/main/java/com/baeldung/xss/XSSUtils.java b/spring-security-modules/spring-5-security/src/main/java/com/baeldung/xss/XSSUtils.java
new file mode 100644
index 0000000000..51bcba8115
--- /dev/null
+++ b/spring-security-modules/spring-5-security/src/main/java/com/baeldung/xss/XSSUtils.java
@@ -0,0 +1,19 @@
+package com.baeldung.xss;
+
+import org.jsoup.Jsoup;
+import org.jsoup.safety.Whitelist;
+import org.owasp.esapi.ESAPI;
+
+public class XSSUtils {
+
+ public static String stripXSS(String value) {
+ if (value == null) {
+ return null;
+ }
+ value = ESAPI.encoder()
+ .canonicalize(value)
+ .replaceAll("\0", "");
+ return Jsoup.clean(value, Whitelist.none());
+ }
+
+}
diff --git a/spring-security-modules/spring-5-security/src/main/resources/ESAPI.properties b/spring-security-modules/spring-5-security/src/main/resources/ESAPI.properties
new file mode 100644
index 0000000000..a2746a4dbc
--- /dev/null
+++ b/spring-security-modules/spring-5-security/src/main/resources/ESAPI.properties
@@ -0,0 +1,545 @@
+#
+# OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version
+#
+# This file is part of the Open Web Application Security Project (OWASP)
+# Enterprise Security API (ESAPI) project. For details, please see
+# https://owasp.org/www-project-enterprise-security-api/
+#
+# Copyright (c) 2008,2009 - The OWASP Foundation
+#
+# DISCUSS: This may cause a major backwards compatibility issue, etc. but
+# from a name space perspective, we probably should have prefaced
+# all the property names with ESAPI or at least OWASP. Otherwise
+# there could be problems is someone loads this properties file into
+# the System properties. We could also put this file into the
+# esapi.jar file (perhaps as a ResourceBundle) and then allow an external
+# ESAPI properties be defined that would overwrite these defaults.
+# That keeps the application's properties relatively simple as usually
+# they will only want to override a few properties. If looks like we
+# already support multiple override levels of this in the
+# DefaultSecurityConfiguration class, but I'm suggesting placing the
+# defaults in the esapi.jar itself. That way, if the jar is signed,
+# we could detect if those properties had been tampered with. (The
+# code to check the jar signatures is pretty simple... maybe 70-90 LOC,
+# but off course there is an execution penalty (similar to the way
+# that the separate sunjce.jar used to be when a class from it was
+# first loaded). Thoughts?
+###############################################################################
+#
+# WARNING: Operating system protection should be used to lock down the .esapi
+# resources directory and all the files inside and all the directories all the
+# way up to the root directory of the file system. Note that if you are using
+# file-based implementations, that some files may need to be read-write as they
+# get updated dynamically.
+#
+#===========================================================================
+# ESAPI Configuration
+#
+# If true, then print all the ESAPI properties set here when they are loaded.
+# If false, they are not printed. Useful to reduce output when running JUnit tests.
+# If you need to troubleshoot a properties related problem, turning this on may help.
+# This is 'false' in the src/test/resources/.esapi version. It is 'true' by
+# default for reasons of backward compatibility with earlier ESAPI versions.
+ESAPI.printProperties=true
+
+# ESAPI is designed to be easily extensible. You can use the reference implementation
+# or implement your own providers to take advantage of your enterprise's security
+# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like:
+#
+# String ciphertext =
+# ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0
+# CipherText cipherText =
+# ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred
+#
+# Below you can specify the classname for the provider that you wish to use in your
+# application. The only requirement is that it implement the appropriate ESAPI interface.
+# This allows you to switch security implementations in the future without rewriting the
+# entire application.
+#
+# ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory
+ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController
+# FileBasedAuthenticator requires users.txt file in .esapi directory
+ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator
+ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
+ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
+
+ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
+ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
+ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
+# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
+# Note that this is now considered deprecated!
+ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
+#ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory
+#ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
+# To use the new SLF4J logger in ESAPI (see GitHub issue #129), set
+# ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
+# and do whatever other normal SLF4J configuration that you normally would do for your application.
+ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
+ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
+
+#===========================================================================
+# ESAPI Authenticator
+#
+Authenticator.AllowedLoginAttempts=3
+Authenticator.MaxOldPasswordHashes=13
+Authenticator.UsernameParameterName=username
+Authenticator.PasswordParameterName=password
+# RememberTokenDuration (in days)
+Authenticator.RememberTokenDuration=14
+# Session Timeouts (in minutes)
+Authenticator.IdleTimeoutDuration=20
+Authenticator.AbsoluteTimeoutDuration=120
+
+#===========================================================================
+# ESAPI Encoder
+#
+# ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks.
+# Failure to canonicalize input is a very common mistake when implementing validation schemes.
+# Canonicalization is automatic when using the ESAPI Validator, but you can also use the
+# following code to canonicalize data.
+#
+# ESAPI.Encoder().canonicalize( "%22hello world"" );
+#
+# Multiple encoding is when a single encoding format is applied multiple times. Allowing
+# multiple encoding is strongly discouraged.
+Encoder.AllowMultipleEncoding=false
+
+# Mixed encoding is when multiple different encoding formats are applied, or when
+# multiple formats are nested. Allowing multiple encoding is strongly discouraged.
+Encoder.AllowMixedEncoding=false
+
+# The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs
+# for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or
+# inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important.
+Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
+
+
+#===========================================================================
+# ESAPI Encryption
+#
+# The ESAPI Encryptor provides basic cryptographic functions with a simplified API.
+# To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
+# There is not currently any support for key rotation, so be careful when changing your key and salt as it
+# will invalidate all signed, encrypted, and hashed data.
+#
+# WARNING: Not all combinations of algorithms and key lengths are supported.
+# If you choose to use a key length greater than 128, you MUST download the
+# unlimited strength policy files and install in the lib directory of your JRE/JDK.
+# See http://java.sun.com/javase/downloads/index.jsp for more information.
+#
+# ***** IMPORTANT: Do NOT forget to replace these with your own values! *****
+# To calculate these values, you can run:
+# java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
+#
+#Encryptor.MasterKey=
+#Encryptor.MasterSalt=
+
+# Provides the default JCE provider that ESAPI will "prefer" for its symmetric
+# encryption and hashing. (That is it will look to this provider first, but it
+# will defer to other providers if the requested algorithm is not implemented
+# by this provider.) If left unset, ESAPI will just use your Java VM's current
+# preferred JCE provider, which is generally set in the file
+# "$JAVA_HOME/jre/lib/security/java.security".
+#
+# The main intent of this is to allow ESAPI symmetric encryption to be
+# used with a FIPS 140-2 compliant crypto-module. For details, see the section
+# "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in
+# the ESAPI 2.0 Symmetric Encryption User Guide, at:
+# http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
+# However, this property also allows you to easily use an alternate JCE provider
+# such as "Bouncy Castle" without having to make changes to "java.security".
+# See Javadoc for SecurityProviderLoader for further details. If you wish to use
+# a provider that is not known to SecurityProviderLoader, you may specify the
+# fully-qualified class name of the JCE provider class that implements
+# java.security.Provider. If the name contains a '.', this is interpreted as
+# a fully-qualified class name that implements java.security.Provider.
+#
+# NOTE: Setting this property has the side-effect of changing it in your application
+# as well, so if you are using JCE in your application directly rather than
+# through ESAPI (you wouldn't do that, would you? ;-), it will change the
+# preferred JCE provider there as well.
+#
+# Default: Keeps the JCE provider set to whatever JVM sets it to.
+Encryptor.PreferredJCEProvider=
+
+# AES is the most widely used and strongest encryption algorithm. This
+# should agree with your Encryptor.CipherTransformation property.
+# Warning: This property does not control the default reference implementation for
+# ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped
+# in the future.
+# @deprecated
+Encryptor.EncryptionAlgorithm=AES
+# For ESAPI Java 2.0 - New encrypt / decrypt methods use this.
+Encryptor.CipherTransformation=AES/CBC/PKCS5Padding
+
+# Applies to ESAPI 2.0 and later only!
+# Comma-separated list of cipher modes that provide *BOTH*
+# confidentiality *AND* message authenticity. (NIST refers to such cipher
+# modes as "combined modes" so that's what we shall call them.) If any of these
+# cipher modes are used then no MAC is calculated and stored
+# in the CipherText upon encryption. Likewise, if one of these
+# cipher modes is used with decryption, no attempt will be made
+# to validate the MAC contained in the CipherText object regardless
+# of whether it contains one or not. Since the expectation is that
+# these cipher modes support support message authenticity already,
+# injecting a MAC in the CipherText object would be at best redundant.
+#
+# Note that as of JDK 1.5, the SunJCE provider does not support *any*
+# of these cipher modes. Of these listed, only GCM and CCM are currently
+# NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports
+# GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other
+# padding modes.
+Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC
+
+# Applies to ESAPI 2.0 and later only!
+# Additional cipher modes allowed for ESAPI 2.0 encryption. These
+# cipher modes are in _addition_ to those specified by the property
+# 'Encryptor.cipher_modes.combined_modes'.
+# Note: We will add support for streaming modes like CFB & OFB once
+# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod'
+# (probably in ESAPI 2.1).
+# DISCUSS: Better name?
+Encryptor.cipher_modes.additional_allowed=CBC
+
+# Default key size to use for cipher specified by Encryptor.EncryptionAlgorithm.
+# Note that this MUST be a valid key size for the algorithm being used
+# (as specified by Encryptor.EncryptionAlgorithm). So for example, if AES is used,
+# it must be 128, 192, or 256. If DESede is chosen, then it must be either 112 or 168.
+#
+# Note that 128-bits is almost always sufficient and for AES it appears to be more
+# somewhat more resistant to related key attacks than is 256-bit AES.)
+#
+# Defaults to 128-bits if left blank.
+#
+# NOTE: If you use a key size > 128-bits, then you MUST have the JCE Unlimited
+# Strength Jurisdiction Policy files installed!!!
+#
+Encryptor.EncryptionKeyLength=128
+
+# This is the _minimum_ key size (in bits) that we allow with ANY symmetric
+# cipher for doing encryption. (There is no minimum for decryption.)
+#
+# Generally, if you only use one algorithm, this should be set the same as
+# the Encryptor.EncryptionKeyLength property.
+Encryptor.MinEncryptionKeyLength=128
+
+# Because 2.x uses CBC mode by default, it requires an initialization vector (IV).
+# (All cipher modes except ECB require an IV.) There are two choices: we can either
+# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
+# the IV does not need to be hidden from adversaries, it is important that the
+# adversary not be allowed to choose it. Also, random IVs are generally much more
+# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes
+# such as CFB and OFB use a different IV for each encryption with a given key so
+# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random
+# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
+# uncomment the Encryptor.fixedIV.
+#
+# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.3
+# 'fixed' is deprecated as of 2.2
+# and will be removed in 2.3.
+Encryptor.ChooseIVMethod=random
+
+
+# If you choose to use a fixed IV, then you must place a fixed IV here that
+# is known to all others who are sharing your secret key. The format should
+# be a hex string that is the same length as the cipher block size for the
+# cipher algorithm that you are using. The following is an *example* for AES
+# from an AES test vector for AES-128/CBC as described in:
+# NIST Special Publication 800-38A (2001 Edition)
+# "Recommendation for Block Cipher Modes of Operation".
+# (Note that the block size for AES is 16 bytes == 128 bits.)
+#
+# @Deprecated -- fixed IVs are deprecated as of the 2.2 release and support
+# will be removed in the next release (tentatively, 2.3).
+# If you MUST use this, at least replace this IV with one
+# that your legacy application was using.
+Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f
+
+# Whether or not CipherText should use a message authentication code (MAC) with it.
+# This prevents an adversary from altering the IV as well as allowing a more
+# fool-proof way of determining the decryption failed because of an incorrect
+# key being supplied. This refers to the "separate" MAC calculated and stored
+# in CipherText, not part of any MAC that is calculated as a result of a
+# "combined mode" cipher mode.
+#
+# If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also
+# set this property to false. That is because ESAPI takes the master key and
+# derives 2 keys from it--a key for the MAC and a key for encryption--and
+# because ESAPI is not itself FIPS 140-2 verified such intermediary aterations
+# to keys from FIPS approved sources would have the effect of making your FIPS
+# approved key generation and thus your FIPS approved JCE provider unapproved!
+# More details in
+# documentation/esapi4java-core-2.0-readme-crypto-changes.html
+# documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
+# You have been warned.
+Encryptor.CipherText.useMAC=true
+
+# Whether or not the PlainText object may be overwritten and then marked
+# eligible for garbage collection. If not set, this is still treated as 'true'.
+Encryptor.PlainText.overwrite=true
+
+# Do not use DES except in a legacy situations. 56-bit is way too small key size.
+#Encryptor.EncryptionKeyLength=56
+#Encryptor.MinEncryptionKeyLength=56
+#Encryptor.EncryptionAlgorithm=DES
+
+# TripleDES is considered strong enough for most purposes.
+# Note: There is also a 112-bit version of DESede. Using the 168-bit version
+# requires downloading the special jurisdiction policy from Sun.
+#Encryptor.EncryptionKeyLength=168
+#Encryptor.MinEncryptionKeyLength=112
+#Encryptor.EncryptionAlgorithm=DESede
+
+Encryptor.HashAlgorithm=SHA-512
+Encryptor.HashIterations=1024
+Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
+Encryptor.DigitalSignatureKeyLength=1024
+Encryptor.RandomAlgorithm=SHA1PRNG
+Encryptor.CharacterEncoding=UTF-8
+
+# This is the Pseudo Random Function (PRF) that ESAPI's Key Derivation Function
+# (KDF) normally uses. Note this is *only* the PRF used for ESAPI's KDF and
+# *not* what is used for ESAPI's MAC. (Currently, HmacSHA1 is always used for
+# the MAC, mostly to keep the overall size at a minimum.)
+#
+# Currently supported choices for JDK 1.5 and 1.6 are:
+# HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and
+# HmacSHA512 (512 bits).
+# Note that HmacMD5 is *not* supported for the PRF used by the KDF even though
+# the JDKs support it. See the ESAPI 2.0 Symmetric Encryption User Guide
+# further details.
+Encryptor.KDF.PRF=HmacSHA256
+#===========================================================================
+# ESAPI HttpUtilties
+#
+# The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods
+# protect against malicious data from attackers, such as unprintable characters, escaped characters,
+# and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies,
+# headers, and CSRF tokens.
+#
+# Default file upload location (remember to escape backslashes with \\)
+HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
+HttpUtilities.UploadTempDir=C:\\temp
+# Force flags on cookies, if you use HttpUtilities to set cookies
+HttpUtilities.ForceHttpOnlySession=false
+HttpUtilities.ForceSecureSession=false
+HttpUtilities.ForceHttpOnlyCookies=true
+HttpUtilities.ForceSecureCookies=true
+# Maximum size of HTTP header key--the validator regex may have additional values.
+HttpUtilities.MaxHeaderNameSize=256
+# Maximum size of HTTP header value--the validator regex may have additional values.
+HttpUtilities.MaxHeaderValueSize=4096
+# Maximum size of JSESSIONID for the application--the validator regex may have additional values.
+HttpUtilities.HTTPJSESSIONIDLENGTH=50
+# Maximum length of a URL (see https://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers)
+HttpUtilities.URILENGTH=2000
+# Maximum length of a redirect
+HttpUtilities.maxRedirectLength=512
+# Maximum length for an http scheme
+HttpUtilities.HTTPSCHEMELENGTH=10
+# Maximum length for an http host
+HttpUtilities.HTTPHOSTLENGTH=100
+# Maximum length for an http path
+HttpUtilities.HTTPPATHLENGTH=150
+#Maximum length for a context path
+HttpUtilities.contextPathLength=150
+#Maximum length for an httpServletPath
+HttpUtilities.HTTPSERVLETPATHLENGTH=100
+#Maximum length for an http query parameter name
+HttpUtilities.httpQueryParamNameLength=100
+#Maximum length for an http query parameter -- old default was 2000, but that's the max length for a URL...
+HttpUtilities.httpQueryParamValueLength=500
+# File upload configuration
+HttpUtilities.ApprovedUploadExtensions=.pdf,.doc,.docx,.ppt,.pptx,.xls,.xlsx,.rtf,.txt,.jpg,.png
+HttpUtilities.MaxUploadFileBytes=500000000
+# Using UTF-8 throughout your stack is highly recommended. That includes your database driver,
+# container, and any other technologies you may be using. Failure to do this may expose you
+# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization.
+HttpUtilities.ResponseContentType=text/html; charset=UTF-8
+# This is the name of the cookie used to represent the HTTP session
+# Typically this will be the default "JSESSIONID"
+HttpUtilities.HttpSessionIdName=JSESSIONID
+#Sets whether or not we will overwrite http status codes to 200.
+HttpUtilities.OverwriteStatusCodes=true
+#Sets the application's base character encoding. This is forked from the Java Encryptor property.
+HttpUtilities.CharacterEncoding=UTF-8
+
+#===========================================================================
+# ESAPI Executor
+# CHECKME - This should be made OS independent. Don't use unsafe defaults.
+# # Examples only -- do NOT blindly copy!
+# For Windows:
+# Executor.WorkingDirectory=C:\\Windows\\Temp
+# Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe
+# For *nux, MacOS:
+# Executor.WorkingDirectory=/tmp
+# Executor.ApprovedExecutables=/bin/bash
+Executor.WorkingDirectory=
+Executor.ApprovedExecutables=
+
+
+#===========================================================================
+# ESAPI Logging
+# Set the application name if these logs are combined with other applications
+Logger.ApplicationName=ExampleApplication
+# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
+Logger.LogEncodingRequired=false
+# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
+Logger.LogApplicationName=true
+# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
+Logger.LogServerIP=true
+# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
+# want to place it in a specific directory.
+Logger.LogFileName=ESAPI_logging_file
+# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
+Logger.MaxLogFileSize=10000000
+# Determines whether ESAPI should log the user info.
+Logger.UserInfo=true
+# Determines whether ESAPI should log the session id and client IP.
+Logger.ClientInfo=true
+
+#===========================================================================
+# ESAPI Intrusion Detection
+#
+# Each event has a base to which .count, .interval, and .action are added
+# The IntrusionException will fire if we receive "count" events within "interval" seconds
+# The IntrusionDetector is configurable to take the following actions: log, logout, and disable
+# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
+#
+# Custom Events
+# Names must start with "event." as the base
+# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
+# You can also disable intrusion detection completely by changing
+# the following parameter to true
+#
+IntrusionDetector.Disable=false
+#
+IntrusionDetector.event.test.count=2
+IntrusionDetector.event.test.interval=10
+IntrusionDetector.event.test.actions=disable,log
+
+# Exception Events
+# All EnterpriseSecurityExceptions are registered automatically
+# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
+# Use the fully qualified classname of the exception as the base
+
+# any intrusion is an attack
+IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1
+IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1
+IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout
+
+# for test purposes
+# CHECKME: Shouldn't there be something in the property name itself that designates
+# that these are for testing???
+IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10
+IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5
+IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout
+
+# rapid validation errors indicate scans or attacks in progress
+# org.owasp.esapi.errors.ValidationException.count=10
+# org.owasp.esapi.errors.ValidationException.interval=10
+# org.owasp.esapi.errors.ValidationException.actions=log,logout
+
+# sessions jumping between hosts indicates session hijacking
+IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2
+IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10
+IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout
+
+
+#===========================================================================
+# ESAPI Validation
+#
+# The ESAPI Validator works on regular expressions with defined names. You can define names
+# either here, or you may define application specific patterns in a separate file defined below.
+# This allows enterprises to specify both organizational standards as well as application specific
+# validation rules.
+#
+# Use '\p{L}' (without the quotes) within the character class to match
+# any Unicode LETTER. You can also use a range, like: \u00C0-\u017F
+# You can also use any of the regex flags as documented at
+# https://docs.oracle.com/javase/tutorial/essential/regex/pattern.html, e.g. (?u)
+#
+Validator.ConfigurationFile=validation.properties
+
+# Validators used by ESAPI
+Validator.AccountName=^[a-zA-Z0-9]{3,20}$
+Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$
+Validator.RoleName=^[a-z]{1,20}$
+
+#the word TEST below should be changed to your application
+#name - only relative URL's are supported
+Validator.Redirect=^\\/test.*$
+
+# Global HTTP Validation Rules
+# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
+Validator.HTTPScheme=^(http|https)$
+Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
+Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+# Note that headerName and Value length is also configured in the HTTPUtilities section
+Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,256}$
+Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
+Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
+Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$
+Validator.HTTPURL=^.*$
+Validator.HTTPJSESSIONID=^[A-Z0-9]{10,32}$
+
+
+# Contributed by Fraenku@gmx.ch
+# Github Issue 126 https://github.com/ESAPI/esapi-java-legacy/issues/126
+Validator.HTTPParameterName=^[a-zA-Z0-9_\\-]{1,32}$
+Validator.HTTPParameterValue=^[\\p{L}\\p{N}.\\-/+=_ !$*?@]{0,1000}$
+Validator.HTTPContextPath=^/[a-zA-Z0-9.\\-_]*$
+Validator.HTTPQueryString=^([a-zA-Z0-9_\\-]{1,32}=[\\p{L}\\p{N}.\\-/+=_ !$*?@%]*&?)*$
+Validator.HTTPURI=^/([a-zA-Z0-9.\\-_]*/?)*$
+
+
+# Validation of file related input
+Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
+Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
+
+# Validation of dates. Controls whether or not 'lenient' dates are accepted.
+# See DataFormat.setLenient(boolean flag) for further details.
+Validator.AcceptLenientDates=false
+
+# ~~~~~ Important Note ~~~~~
+# This is a workaround to make sure that a commit to address GitHub issue #509
+# doesn't accidentally break someone's production code. So essentially what we
+# are doing is to reverting back to the previous possibly buggy (by
+# documentation intent at least), but, by now, expected legacy behavior.
+# Prior to the code changes for issue #509, if invalid / malicious HTML input was
+# observed, AntiSamy would simply attempt to sanitize (cleanse) it and it would
+# only be logged. However, the code change made ESAPI comply with its
+# documentation, which stated that a ValidationException should be thrown in
+# such cases. Unfortunately, changing this behavior--especially when no one is
+# 100% certain that the documentation was correct--could break existing code
+# using ESAPI so after a lot of debate, issue #521 was created to restore the
+# previous behavior, but still allow the documented behavior. (We did this
+# because it wasn't really causing an security issues since AntiSamy would clean
+# it up anyway and we value backward compatibility as long as it doesn't clearly
+# present security vulnerabilities.)
+# More defaults about this are written up under GitHub issue #521 and
+# the pull request it references. Future major releases of ESAPI (e.g., ESAPI 3.x)
+# will not support this previous behavior, but it will remain for ESAPI 2.x.
+# Set this to 'throw' if you want the originally intended behavior of throwing
+# that was fixed via issue #509. Set to 'clean' if you want want the HTML input
+# sanitized instead.
+#
+# Possible values:
+# clean -- Use the legacy behavior where unsafe HTML input is logged and the
+# sanitized (i.e., clean) input as determined by AntiSamy and your
+# AntiSamy rules is returned. This is the default behavior if this
+# new property is not found.
+# throw -- The new, presumably correct and originally intended behavior where
+# a ValidationException is thrown when unsafe HTML input is
+# encountered.
+#
+#Validator.HtmlValidationAction=clean
+Validator.HtmlValidationAction=throw
+
+# With the fix for #310 to enable loading antisamy-esapi.xml from the classpath
+# also an enhancement was made to be able to use a different filename for the configuration.
+# You don't have to configure the filename here, but in that case the code will keep looking for antisamy-esapi.xml.
+# This is the default behaviour of ESAPI.
+#
+#Validator.HtmlValidationConfigurationFile=antisamy-esapi.xml
\ No newline at end of file
diff --git a/spring-5-security/src/main/resources/application-extrafields.properties b/spring-security-modules/spring-5-security/src/main/resources/application-extrafields.properties
similarity index 100%
rename from spring-5-security/src/main/resources/application-extrafields.properties
rename to spring-security-modules/spring-5-security/src/main/resources/application-extrafields.properties
diff --git a/spring-5-security/src/main/resources/application.properties b/spring-security-modules/spring-5-security/src/main/resources/application.properties
similarity index 100%
rename from spring-5-security/src/main/resources/application.properties
rename to spring-security-modules/spring-5-security/src/main/resources/application.properties
diff --git a/spring-dispatcher-servlet/src/main/resources/logback.xml b/spring-security-modules/spring-5-security/src/main/resources/logback.xml
similarity index 100%
rename from spring-dispatcher-servlet/src/main/resources/logback.xml
rename to spring-security-modules/spring-5-security/src/main/resources/logback.xml
diff --git a/spring-5-security/src/main/resources/static/css/main.css b/spring-security-modules/spring-5-security/src/main/resources/static/css/main.css
similarity index 100%
rename from spring-5-security/src/main/resources/static/css/main.css
rename to spring-security-modules/spring-5-security/src/main/resources/static/css/main.css
diff --git a/spring-5-security/src/main/resources/templates/index.html b/spring-security-modules/spring-5-security/src/main/resources/templates/index.html
similarity index 100%
rename from spring-5-security/src/main/resources/templates/index.html
rename to spring-security-modules/spring-5-security/src/main/resources/templates/index.html
diff --git a/spring-5-security/src/main/resources/templatesextrafields/index.html b/spring-security-modules/spring-5-security/src/main/resources/templatesextrafields/index.html
similarity index 100%
rename from spring-5-security/src/main/resources/templatesextrafields/index.html
rename to spring-security-modules/spring-5-security/src/main/resources/templatesextrafields/index.html
diff --git a/spring-5-security/src/main/resources/templatesextrafields/login.html b/spring-security-modules/spring-5-security/src/main/resources/templatesextrafields/login.html
similarity index 100%
rename from spring-5-security/src/main/resources/templatesextrafields/login.html
rename to spring-security-modules/spring-5-security/src/main/resources/templatesextrafields/login.html
diff --git a/spring-5-security/src/main/resources/templatesextrafields/user/index.html b/spring-security-modules/spring-5-security/src/main/resources/templatesextrafields/user/index.html
similarity index 100%
rename from spring-5-security/src/main/resources/templatesextrafields/user/index.html
rename to spring-security-modules/spring-5-security/src/main/resources/templatesextrafields/user/index.html
diff --git a/spring-5-security/src/test/java/com/baeldung/SpringContextTest.java b/spring-security-modules/spring-5-security/src/test/java/com/baeldung/SpringContextTest.java
similarity index 100%
rename from spring-5-security/src/test/java/com/baeldung/SpringContextTest.java
rename to spring-security-modules/spring-5-security/src/test/java/com/baeldung/SpringContextTest.java
diff --git a/spring-5-security/src/test/java/com/baeldung/authresolver/AuthResolverIntegrationTest.java b/spring-security-modules/spring-5-security/src/test/java/com/baeldung/authresolver/AuthResolverIntegrationTest.java
similarity index 100%
rename from spring-5-security/src/test/java/com/baeldung/authresolver/AuthResolverIntegrationTest.java
rename to spring-security-modules/spring-5-security/src/test/java/com/baeldung/authresolver/AuthResolverIntegrationTest.java
diff --git a/spring-5-security/src/test/java/com/baeldung/inmemory/InMemoryAuthControllerIntegrationTest.java b/spring-security-modules/spring-5-security/src/test/java/com/baeldung/inmemory/InMemoryAuthControllerIntegrationTest.java
similarity index 100%
rename from spring-5-security/src/test/java/com/baeldung/inmemory/InMemoryAuthControllerIntegrationTest.java
rename to spring-security-modules/spring-5-security/src/test/java/com/baeldung/inmemory/InMemoryAuthControllerIntegrationTest.java
diff --git a/spring-5-security/src/test/java/com/baeldung/loginextrafields/AbstractExtraLoginFieldsIntegrationTest.java b/spring-security-modules/spring-5-security/src/test/java/com/baeldung/loginextrafields/AbstractExtraLoginFieldsIntegrationTest.java
similarity index 100%
rename from spring-5-security/src/test/java/com/baeldung/loginextrafields/AbstractExtraLoginFieldsIntegrationTest.java
rename to spring-security-modules/spring-5-security/src/test/java/com/baeldung/loginextrafields/AbstractExtraLoginFieldsIntegrationTest.java
diff --git a/spring-5-security/src/test/java/com/baeldung/loginextrafields/LoginFieldsFullIntegrationTest.java b/spring-security-modules/spring-5-security/src/test/java/com/baeldung/loginextrafields/LoginFieldsFullIntegrationTest.java
similarity index 100%
rename from spring-5-security/src/test/java/com/baeldung/loginextrafields/LoginFieldsFullIntegrationTest.java
rename to spring-security-modules/spring-5-security/src/test/java/com/baeldung/loginextrafields/LoginFieldsFullIntegrationTest.java
diff --git a/spring-5-security/src/test/java/com/baeldung/loginextrafields/LoginFieldsSimpleIntegrationTest.java b/spring-security-modules/spring-5-security/src/test/java/com/baeldung/loginextrafields/LoginFieldsSimpleIntegrationTest.java
similarity index 100%
rename from spring-5-security/src/test/java/com/baeldung/loginextrafields/LoginFieldsSimpleIntegrationTest.java
rename to spring-security-modules/spring-5-security/src/test/java/com/baeldung/loginextrafields/LoginFieldsSimpleIntegrationTest.java
diff --git a/spring-5-security/src/test/java/com/baeldung/logoutredirects/LogoutApplicationUnitTest.java b/spring-security-modules/spring-5-security/src/test/java/com/baeldung/logoutredirects/LogoutApplicationUnitTest.java
similarity index 100%
rename from spring-5-security/src/test/java/com/baeldung/logoutredirects/LogoutApplicationUnitTest.java
rename to spring-security-modules/spring-5-security/src/test/java/com/baeldung/logoutredirects/LogoutApplicationUnitTest.java
diff --git a/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java b/spring-security-modules/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java
similarity index 100%
rename from spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java
rename to spring-security-modules/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java
diff --git a/spring-security-modules/spring-5-security/src/test/java/com/baeldung/xss/PersonControllerUnitTest.java b/spring-security-modules/spring-5-security/src/test/java/com/baeldung/xss/PersonControllerUnitTest.java
new file mode 100644
index 0000000000..4e278ebf16
--- /dev/null
+++ b/spring-security-modules/spring-5-security/src/test/java/com/baeldung/xss/PersonControllerUnitTest.java
@@ -0,0 +1,64 @@
+package com.baeldung.xss;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.JsonNodeFactory;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.web.server.LocalServerPort;
+import org.springframework.http.*;
+import org.springframework.web.client.RestTemplate;
+import org.springframework.web.util.UriComponentsBuilder;
+import java.io.IOException;
+import static org.assertj.core.api.Assertions.assertThat;
+
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+class PersonControllerUnitTest {
+
+ @LocalServerPort
+ int randomServerPort;
+
+ @Test
+ public void givenRequestIsSuspicious_whenRequestIsPost_thenResponseIsClean()
+ throws IOException {
+ // given
+ String createPersonUrl;
+ RestTemplate restTemplate;
+ HttpHeaders headers;
+ UriComponentsBuilder builder;
+ ObjectMapper objectMapper = new ObjectMapper();
+ ObjectNode personJsonObject = JsonNodeFactory.instance.objectNode();
+ createPersonUrl = "http://localhost:" + randomServerPort + "/personService/person";
+ restTemplate = new RestTemplate();
+ headers = new HttpHeaders();
+
+ // when
+ personJsonObject.put("id", 1);
+ personJsonObject.put("firstName", "baeldung ");
+ personJsonObject.put("lastName", "baeldung click me!");
+
+ builder = UriComponentsBuilder.fromHttpUrl(createPersonUrl)
+ .queryParam("param", "");
+ headers.add("header_4", "Your search for 'flowers '");
+ HttpEntity request = new HttpEntity<>(personJsonObject.toString(), headers);
+
+ ResponseEntity personResultAsJsonStr = restTemplate.exchange(builder.toUriString(),
+ HttpMethod.POST, request, String.class);
+ JsonNode root = objectMapper.readTree(personResultAsJsonStr.getBody());
+
+ // then
+ assertThat(root.get("firstName").textValue()).isEqualTo("baeldung ");
+ assertThat(root.get("lastName").textValue()).isEqualTo("baeldung click me!");
+ assertThat(root.get("param").textValue()).isEmpty();
+ assertThat(root.get("header_1").textValue()).isEmpty();
+ assertThat(root.get("header_2").textValue()).isEmpty();
+ assertThat(root.get("header_3").textValue()).isEmpty();
+ assertThat(root.get("header_4").textValue()).isEqualTo("Your search for 'flowers '");
+ }
+}
diff --git a/spring-ldap/.gitignore b/spring-security-modules/spring-ldap/.gitignore
similarity index 100%
rename from spring-ldap/.gitignore
rename to spring-security-modules/spring-ldap/.gitignore
diff --git a/spring-ldap/README.md b/spring-security-modules/spring-ldap/README.md
similarity index 100%
rename from spring-ldap/README.md
rename to spring-security-modules/spring-ldap/README.md
diff --git a/spring-ldap/pom.xml b/spring-security-modules/spring-ldap/pom.xml
similarity index 98%
rename from spring-ldap/pom.xml
rename to spring-security-modules/spring-ldap/pom.xml
index a9882ccb52..60da7d4c0d 100644
--- a/spring-ldap/pom.xml
+++ b/spring-security-modules/spring-ldap/pom.xml
@@ -9,8 +9,8 @@
com.baeldung
- parent-modules
- 1.0.0-SNAPSHOT
+ spring-security-modules
+ 0.0.1-SNAPSHOT
diff --git a/spring-ldap/src/main/java/com/baeldung/ldap/client/LdapClient.java b/spring-security-modules/spring-ldap/src/main/java/com/baeldung/ldap/client/LdapClient.java
similarity index 100%
rename from spring-ldap/src/main/java/com/baeldung/ldap/client/LdapClient.java
rename to spring-security-modules/spring-ldap/src/main/java/com/baeldung/ldap/client/LdapClient.java
diff --git a/spring-ldap/src/main/java/com/baeldung/ldap/data/repository/User.java b/spring-security-modules/spring-ldap/src/main/java/com/baeldung/ldap/data/repository/User.java
similarity index 100%
rename from spring-ldap/src/main/java/com/baeldung/ldap/data/repository/User.java
rename to spring-security-modules/spring-ldap/src/main/java/com/baeldung/ldap/data/repository/User.java
diff --git a/spring-ldap/src/main/java/com/baeldung/ldap/data/repository/UserRepository.java b/spring-security-modules/spring-ldap/src/main/java/com/baeldung/ldap/data/repository/UserRepository.java
similarity index 100%
rename from spring-ldap/src/main/java/com/baeldung/ldap/data/repository/UserRepository.java
rename to spring-security-modules/spring-ldap/src/main/java/com/baeldung/ldap/data/repository/UserRepository.java
diff --git a/spring-ldap/src/main/java/com/baeldung/ldap/data/service/LdapClient.java b/spring-security-modules/spring-ldap/src/main/java/com/baeldung/ldap/data/service/LdapClient.java
similarity index 100%
rename from spring-ldap/src/main/java/com/baeldung/ldap/data/service/LdapClient.java
rename to spring-security-modules/spring-ldap/src/main/java/com/baeldung/ldap/data/service/LdapClient.java
diff --git a/spring-ldap/src/main/java/com/baeldung/ldap/data/service/UserService.java b/spring-security-modules/spring-ldap/src/main/java/com/baeldung/ldap/data/service/UserService.java
similarity index 100%
rename from spring-ldap/src/main/java/com/baeldung/ldap/data/service/UserService.java
rename to spring-security-modules/spring-ldap/src/main/java/com/baeldung/ldap/data/service/UserService.java
diff --git a/spring-ldap/src/main/java/com/baeldung/ldap/javaconfig/AppConfig.java b/spring-security-modules/spring-ldap/src/main/java/com/baeldung/ldap/javaconfig/AppConfig.java
similarity index 100%
rename from spring-ldap/src/main/java/com/baeldung/ldap/javaconfig/AppConfig.java
rename to spring-security-modules/spring-ldap/src/main/java/com/baeldung/ldap/javaconfig/AppConfig.java
diff --git a/spring-ldap/src/main/resources/application.properties b/spring-security-modules/spring-ldap/src/main/resources/application.properties
similarity index 100%
rename from spring-ldap/src/main/resources/application.properties
rename to spring-security-modules/spring-ldap/src/main/resources/application.properties
diff --git a/spring-ldap/src/main/resources/logback.xml b/spring-security-modules/spring-ldap/src/main/resources/logback.xml
similarity index 100%
rename from spring-ldap/src/main/resources/logback.xml
rename to spring-security-modules/spring-ldap/src/main/resources/logback.xml
diff --git a/spring-ldap/src/test/java/com/baeldung/ldap/client/LdapClientLiveTest.java b/spring-security-modules/spring-ldap/src/test/java/com/baeldung/ldap/client/LdapClientLiveTest.java
similarity index 100%
rename from spring-ldap/src/test/java/com/baeldung/ldap/client/LdapClientLiveTest.java
rename to spring-security-modules/spring-ldap/src/test/java/com/baeldung/ldap/client/LdapClientLiveTest.java
diff --git a/spring-ldap/src/test/java/com/baeldung/ldap/client/LdapDataRepositoryIntegrationTest.java b/spring-security-modules/spring-ldap/src/test/java/com/baeldung/ldap/client/LdapDataRepositoryIntegrationTest.java
similarity index 100%
rename from spring-ldap/src/test/java/com/baeldung/ldap/client/LdapDataRepositoryIntegrationTest.java
rename to spring-security-modules/spring-ldap/src/test/java/com/baeldung/ldap/client/LdapDataRepositoryIntegrationTest.java
diff --git a/spring-ldap/src/test/java/com/baeldung/ldap/javaconfig/TestConfig.java b/spring-security-modules/spring-ldap/src/test/java/com/baeldung/ldap/javaconfig/TestConfig.java
similarity index 100%
rename from spring-ldap/src/test/java/com/baeldung/ldap/javaconfig/TestConfig.java
rename to spring-security-modules/spring-ldap/src/test/java/com/baeldung/ldap/javaconfig/TestConfig.java
diff --git a/spring-ldap/src/test/java/org/baeldung/SpringContextTest.java b/spring-security-modules/spring-ldap/src/test/java/org/baeldung/SpringContextTest.java
similarity index 100%
rename from spring-ldap/src/test/java/org/baeldung/SpringContextTest.java
rename to spring-security-modules/spring-ldap/src/test/java/org/baeldung/SpringContextTest.java
diff --git a/spring-ldap/src/test/resources/test.ldif b/spring-security-modules/spring-ldap/src/test/resources/test.ldif
similarity index 100%
rename from spring-ldap/src/test/resources/test.ldif
rename to spring-security-modules/spring-ldap/src/test/resources/test.ldif
diff --git a/spring-ldap/src/test/resources/test_application.properties b/spring-security-modules/spring-ldap/src/test/resources/test_application.properties
similarity index 100%
rename from spring-ldap/src/test/resources/test_application.properties
rename to spring-security-modules/spring-ldap/src/test/resources/test_application.properties
diff --git a/spring-security-modules/spring-security-kotlin-dsl/README.md b/spring-security-modules/spring-security-kotlin-dsl/README.md
deleted file mode 100644
index 39e521d84e..0000000000
--- a/spring-security-modules/spring-security-kotlin-dsl/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-### Relevant Articles:
-
-- [Spring Security with Kotlin DSL](https://www.baeldung.com/kotlin/spring-security-dsl)
diff --git a/spring-security-modules/spring-security-kotlin-dsl/pom.xml b/spring-security-modules/spring-security-kotlin-dsl/pom.xml
deleted file mode 100644
index 24e99decfb..0000000000
--- a/spring-security-modules/spring-security-kotlin-dsl/pom.xml
+++ /dev/null
@@ -1,87 +0,0 @@
-
-
- 4.0.0
-
- com.baeldung
- parent-boot-2
- 0.0.1-SNAPSHOT
- ../../parent-boot-2
-
-
- com.baeldung.spring.security.dsl
- spring-security-kotlin-dsl
- 1.0
- spring-security-kotlin-dsl
- Spring Security Kotlin DSL
-
-
-
- org.springframework.boot
- spring-boot-starter-security
-
-
- org.springframework.boot
- spring-boot-starter-web
-
-
- com.fasterxml.jackson.module
- jackson-module-kotlin
-
-
- org.jetbrains.kotlin
- kotlin-reflect
-
-
- org.jetbrains.kotlin
- kotlin-stdlib-jdk8
-
-
-
- org.projectlombok
- lombok
- true
-
-
- org.springframework.boot
- spring-boot-starter-test
- test
-
-
-
-
- ${project.basedir}/src/main/kotlin
- ${project.basedir}/src/test/kotlin
-
-
- org.springframework.boot
- spring-boot-maven-plugin
-
-
- org.jetbrains.kotlin
- kotlin-maven-plugin
-
-
- -Xjsr305=strict
-
-
- spring
-
-
-
-
- org.jetbrains.kotlin
- kotlin-maven-allopen
- ${kotlin.version}
-
-
-
-
-
-
-
- 11
- 1.3.72
-
-
-
diff --git a/spring-security-modules/spring-security-kotlin-dsl/src/main/kotlin/com/baeldung/security/kotlin/dsl/SpringSecurityKotlinApplication.kt b/spring-security-modules/spring-security-kotlin-dsl/src/main/kotlin/com/baeldung/security/kotlin/dsl/SpringSecurityKotlinApplication.kt
deleted file mode 100644
index 27cc41c1e5..0000000000
--- a/spring-security-modules/spring-security-kotlin-dsl/src/main/kotlin/com/baeldung/security/kotlin/dsl/SpringSecurityKotlinApplication.kt
+++ /dev/null
@@ -1,71 +0,0 @@
-package com.baeldung.security.kotlin.dsl
-
-import org.springframework.boot.autoconfigure.SpringBootApplication
-import org.springframework.boot.runApplication
-import org.springframework.context.annotation.Configuration
-import org.springframework.context.support.beans
-import org.springframework.core.annotation.Order
-import org.springframework.security.config.annotation.web.builders.HttpSecurity
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
-import org.springframework.security.config.web.servlet.invoke
-import org.springframework.security.core.userdetails.User
-import org.springframework.security.provisioning.InMemoryUserDetailsManager
-import org.springframework.web.servlet.function.ServerResponse
-import org.springframework.web.servlet.function.router
-
-@EnableWebSecurity
-@SpringBootApplication
-class SpringSecurityKotlinApplication
-
-@Order(1)
-@Configuration
-class AdminSecurityConfiguration : WebSecurityConfigurerAdapter() {
- override fun configure(http: HttpSecurity?) {
- http {
- authorizeRequests {
- authorize("/greetings/**", hasAuthority("ROLE_ADMIN"))
- }
- httpBasic {}
- }
- }
-}
-
-@Configuration
-class BasicSecurityConfiguration : WebSecurityConfigurerAdapter() {
- override fun configure(http: HttpSecurity?) {
- http {
- authorizeRequests {
- authorize("/**", permitAll)
- }
- httpBasic {}
- }
- }
-}
-
-fun main(args: Array) {
- runApplication(*args) {
- addInitializers( beans {
- bean {
- fun user(user: String, password: String, vararg roles: String) =
- User
- .withDefaultPasswordEncoder()
- .username(user)
- .password(password)
- .roles(*roles)
- .build()
-
- InMemoryUserDetailsManager(user("user", "password", "USER")
- , user("admin", "password", "USER", "ADMIN"))
- }
-
- bean {
- router {
- GET("/greetings") {
- request -> request.principal().map { it.name }.map { ServerResponse.ok().body(mapOf("greeting" to "Hello $it")) }.orElseGet { ServerResponse.badRequest().build() }
- }
- }
- }
- })
- }
-}
diff --git a/spring-security-modules/spring-security-kotlin-dsl/src/test/kotlin/com/spring/security/kotlin/dsl/SpringSecurityKotlinApplicationTests.kt b/spring-security-modules/spring-security-kotlin-dsl/src/test/kotlin/com/spring/security/kotlin/dsl/SpringSecurityKotlinApplicationTests.kt
deleted file mode 100644
index 3da8110feb..0000000000
--- a/spring-security-modules/spring-security-kotlin-dsl/src/test/kotlin/com/spring/security/kotlin/dsl/SpringSecurityKotlinApplicationTests.kt
+++ /dev/null
@@ -1,35 +0,0 @@
-package com.spring.security.kotlin.dsl
-
-import org.junit.jupiter.api.Test
-import org.junit.runner.RunWith
-import org.springframework.beans.factory.annotation.Autowired
-import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc
-import org.springframework.boot.test.context.SpringBootTest
-import org.springframework.security.test.context.support.WithMockUser
-import org.springframework.test.context.junit4.SpringRunner
-import org.springframework.test.web.servlet.MockMvc
-import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.*
-import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user
-import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic
-import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated
-import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated
-import org.springframework.test.web.servlet.get
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*
-import org.springframework.test.web.servlet.result.MockMvcResultMatchers.status
-
-@RunWith(SpringRunner::class)
-@SpringBootTest
-@AutoConfigureMockMvc
-class SpringSecurityKotlinApplicationTests {
-
- @Autowired
- private lateinit var mockMvc: MockMvc
-
- @Test
- fun `ordinary user not permitted to access the endpoint`() {
- this.mockMvc
- .perform(get("/greetings")
- .with(httpBasic("user", "password")))
- .andExpect(unauthenticated())
- }
-}
diff --git a/spring-security-modules/spring-security-oauth2-sso/pom.xml b/spring-security-modules/spring-security-oauth2-sso/pom.xml
index ed4b1d64ba..a272ba5b50 100644
--- a/spring-security-modules/spring-security-oauth2-sso/pom.xml
+++ b/spring-security-modules/spring-security-oauth2-sso/pom.xml
@@ -24,8 +24,8 @@
3.1.0
- 2.3.3.RELEASE
- 2.1.1.RELEASE
+ 2.4.0.RELEASE
+ 2.4.0
1.0.1.RELEASE
2.0.0-M2
diff --git a/spring-security-modules/spring-security-oauth2-sso/spring-security-sso-ui-2/src/main/resources/application.yml b/spring-security-modules/spring-security-oauth2-sso/spring-security-sso-ui-2/src/main/resources/application.yml
index 97c8de7839..8cee9f24d5 100644
--- a/spring-security-modules/spring-security-oauth2-sso/spring-security-sso-ui-2/src/main/resources/application.yml
+++ b/spring-security-modules/spring-security-oauth2-sso/spring-security-sso-ui-2/src/main/resources/application.yml
@@ -2,6 +2,7 @@ server:
port: 8083
servlet:
context-path: /ui2
+ register-default-servlet: true
session:
cookie:
name: UI2SESSION
diff --git a/spring-security-modules/spring-security-oauth2-sso/spring-security-sso-ui/src/main/resources/application.yml b/spring-security-modules/spring-security-oauth2-sso/spring-security-sso-ui/src/main/resources/application.yml
index d1d9ea6ebc..f98dee9429 100644
--- a/spring-security-modules/spring-security-oauth2-sso/spring-security-sso-ui/src/main/resources/application.yml
+++ b/spring-security-modules/spring-security-oauth2-sso/spring-security-sso-ui/src/main/resources/application.yml
@@ -2,6 +2,7 @@ server:
port: 8082
servlet:
context-path: /ui
+ register-default-servlet: true
session:
cookie:
name: UISESSION
diff --git a/spring-security-modules/spring-security-oidc/README.md b/spring-security-modules/spring-security-oidc/README.md
index 5e8f391b96..92ba60cad9 100644
--- a/spring-security-modules/spring-security-oidc/README.md
+++ b/spring-security-modules/spring-security-oidc/README.md
@@ -4,7 +4,7 @@ This module contains articles about OpenID with Spring Security
### Relevant articles
-- [Spring Security and OpenID Connect (Legacy)](https://www.baeldung.com/spring-security-openid-connect-legacy)
+- [Spring Security and OpenID Connect](https://www.baeldung.com/spring-security-openid-connect)
### OpenID Connect with Spring Security
diff --git a/spring-security-modules/spring-security-saml/README.md b/spring-security-modules/spring-security-saml/README.md
new file mode 100644
index 0000000000..271b29632e
--- /dev/null
+++ b/spring-security-modules/spring-security-saml/README.md
@@ -0,0 +1,3 @@
+### Relevant Articles:
+
+- [A Guide to SAML with Spring Security](https://www.baeldung.com/spring-security-saml)
diff --git a/spring-security-modules/spring-security-saml/pom.xml b/spring-security-modules/spring-security-saml/pom.xml
new file mode 100644
index 0000000000..561582045a
--- /dev/null
+++ b/spring-security-modules/spring-security-saml/pom.xml
@@ -0,0 +1,73 @@
+
+
+ 4.0.0
+ spring-security-saml
+ 1.0-SNAPSHOT
+ spring-security-saml
+ war
+
+
+ com.baeldung
+ parent-boot-2
+ 0.0.1-SNAPSHOT
+ ../../parent-boot-2
+
+
+
+ Shibboleth
+ Shibboleth
+ https://build.shibboleth.net/nexus/content/repositories/releases/
+
+
+
+
+
+ org.springframework.boot
+ spring-boot-starter-web
+
+
+ org.springframework.boot
+ spring-boot-starter-security
+
+
+ org.springframework.boot
+ spring-boot-starter-thymeleaf
+
+
+ org.springframework.security.extensions
+ spring-security-saml2-core
+ ${saml2-core.spring.version}
+
+
+
+
+ spring-security-saml
+
+
+ src/main/resources
+
+
+
+
+ org.springframework.boot
+ spring-boot-maven-plugin
+
+ true
+
+
+
+
+ repackage
+
+
+
+
+
+
+
+
+ 1.0.10.RELEASE
+
+
diff --git a/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/Application.java b/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/Application.java
new file mode 100644
index 0000000000..39eaa46424
--- /dev/null
+++ b/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/Application.java
@@ -0,0 +1,11 @@
+package com.baeldung.saml;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Application {
+ public static void main(String... args) {
+ SpringApplication.run(Application.class, args);
+ }
+}
diff --git a/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/authentication/CustomSAMLAuthenticationProvider.java b/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/authentication/CustomSAMLAuthenticationProvider.java
new file mode 100644
index 0000000000..b35a72763d
--- /dev/null
+++ b/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/authentication/CustomSAMLAuthenticationProvider.java
@@ -0,0 +1,28 @@
+package com.baeldung.saml.authentication;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
+import org.springframework.security.saml.SAMLAuthenticationProvider;
+import org.springframework.security.saml.SAMLCredential;
+
+public class CustomSAMLAuthenticationProvider extends SAMLAuthenticationProvider {
+
+ @Override
+ public Collection getEntitlements(SAMLCredential credential, Object userDetail) {
+
+ if(userDetail instanceof ExpiringUsernameAuthenticationToken) {
+ List authorities = new ArrayList();
+ authorities.addAll(((ExpiringUsernameAuthenticationToken) userDetail).getAuthorities());
+ return authorities;
+
+ } else {
+ return Collections.emptyList();
+ }
+ }
+
+}
diff --git a/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/config/SamlSecurityConfig.java b/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/config/SamlSecurityConfig.java
new file mode 100644
index 0000000000..378db478cf
--- /dev/null
+++ b/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/config/SamlSecurityConfig.java
@@ -0,0 +1,226 @@
+package com.baeldung.saml.config;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.util.resource.ResourceException;
+import org.opensaml.xml.parse.StaticBasicParserPool;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.DefaultResourceLoader;
+import org.springframework.core.io.Resource;
+import org.springframework.security.saml.*;
+import org.springframework.security.saml.context.SAMLContextProviderImpl;
+import org.springframework.security.saml.key.JKSKeyManager;
+import org.springframework.security.saml.key.KeyManager;
+import org.springframework.security.saml.log.SAMLDefaultLogger;
+import org.springframework.security.saml.metadata.CachingMetadataManager;
+import org.springframework.security.saml.metadata.ExtendedMetadata;
+import org.springframework.security.saml.metadata.ExtendedMetadataDelegate;
+import org.springframework.security.saml.processor.*;
+import org.springframework.security.saml.util.VelocityFactory;
+import org.springframework.security.saml.websso.*;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
+import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
+
+import com.baeldung.saml.authentication.CustomSAMLAuthenticationProvider;
+
+@Configuration
+public class SamlSecurityConfig {
+
+ @Value("${saml.keystore.location}")
+ private String samlKeystoreLocation;
+
+ @Value("${saml.keystore.password}")
+ private String samlKeystorePassword;
+
+ @Value("${saml.keystore.alias}")
+ private String samlKeystoreAlias;
+
+ @Value("${saml.idp}")
+ private String defaultIdp;
+
+ @Bean(initMethod = "initialize")
+ public StaticBasicParserPool parserPool() {
+ return new StaticBasicParserPool();
+ }
+
+ @Bean
+ public SAMLAuthenticationProvider samlAuthenticationProvider() {
+ return new CustomSAMLAuthenticationProvider();
+ }
+
+ @Bean
+ public SAMLContextProviderImpl contextProvider() {
+ return new SAMLContextProviderImpl();
+ }
+
+ @Bean
+ public static SAMLBootstrap samlBootstrap() {
+ return new SAMLBootstrap();
+ }
+
+ @Bean
+ public SAMLDefaultLogger samlLogger() {
+ return new SAMLDefaultLogger();
+ }
+
+ @Bean
+ public WebSSOProfileConsumer webSSOprofileConsumer() {
+ return new WebSSOProfileConsumerImpl();
+ }
+
+ @Bean
+ @Qualifier("hokWebSSOprofileConsumer")
+ public WebSSOProfileConsumerHoKImpl hokWebSSOProfileConsumer() {
+ return new WebSSOProfileConsumerHoKImpl();
+ }
+
+ @Bean
+ public WebSSOProfile webSSOprofile() {
+ return new WebSSOProfileImpl();
+ }
+
+ @Bean
+ public WebSSOProfileConsumerHoKImpl hokWebSSOProfile() {
+ return new WebSSOProfileConsumerHoKImpl();
+ }
+
+ @Bean
+ public WebSSOProfileECPImpl ecpProfile() {
+ return new WebSSOProfileECPImpl();
+ }
+
+ @Bean
+ public SingleLogoutProfile logoutProfile() {
+ return new SingleLogoutProfileImpl();
+ }
+
+ @Bean
+ public KeyManager keyManager() {
+ DefaultResourceLoader loader = new DefaultResourceLoader();
+ Resource storeFile = loader.getResource(samlKeystoreLocation);
+ Map passwords = new HashMap<>();
+ passwords.put(samlKeystoreAlias, samlKeystorePassword);
+ return new JKSKeyManager(storeFile, samlKeystorePassword, passwords, samlKeystoreAlias);
+ }
+
+ @Bean
+ public WebSSOProfileOptions defaultWebSSOProfileOptions() {
+ WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
+ webSSOProfileOptions.setIncludeScoping(false);
+ return webSSOProfileOptions;
+ }
+
+ @Bean
+ public SAMLEntryPoint samlEntryPoint() {
+ SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
+ samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
+ return samlEntryPoint;
+ }
+
+ @Bean
+ public ExtendedMetadata extendedMetadata() {
+ ExtendedMetadata extendedMetadata = new ExtendedMetadata();
+ extendedMetadata.setIdpDiscoveryEnabled(false);
+ extendedMetadata.setSignMetadata(false);
+ return extendedMetadata;
+ }
+
+ @Bean
+ @Qualifier("okta")
+ public ExtendedMetadataDelegate oktaExtendedMetadataProvider() throws MetadataProviderException {
+ File metadata = null;
+ try {
+ metadata = new File("./src/main/resources/saml/metadata/sso.xml");
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ FilesystemMetadataProvider provider = new FilesystemMetadataProvider(metadata);
+ provider.setParserPool(parserPool());
+ return new ExtendedMetadataDelegate(provider, extendedMetadata());
+ }
+
+ @Bean
+ @Qualifier("metadata")
+ public CachingMetadataManager metadata() throws MetadataProviderException, ResourceException {
+ List providers = new ArrayList<>();
+ providers.add(oktaExtendedMetadataProvider());
+ CachingMetadataManager metadataManager = new CachingMetadataManager(providers);
+ metadataManager.setDefaultIDP(defaultIdp);
+ return metadataManager;
+ }
+
+ @Bean
+ @Qualifier("saml")
+ public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
+ SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler = new SavedRequestAwareAuthenticationSuccessHandler();
+ successRedirectHandler.setDefaultTargetUrl("/home");
+ return successRedirectHandler;
+ }
+
+ @Bean
+ @Qualifier("saml")
+ public SimpleUrlAuthenticationFailureHandler authenticationFailureHandler() {
+ SimpleUrlAuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
+ failureHandler.setUseForward(true);
+ failureHandler.setDefaultFailureUrl("/error");
+ return failureHandler;
+ }
+
+ @Bean
+ public SimpleUrlLogoutSuccessHandler successLogoutHandler() {
+ SimpleUrlLogoutSuccessHandler successLogoutHandler = new SimpleUrlLogoutSuccessHandler();
+ successLogoutHandler.setDefaultTargetUrl("/");
+ return successLogoutHandler;
+ }
+
+ @Bean
+ public SecurityContextLogoutHandler logoutHandler() {
+ SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler();
+ logoutHandler.setInvalidateHttpSession(true);
+ logoutHandler.setClearAuthentication(true);
+ return logoutHandler;
+ }
+
+ @Bean
+ public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() {
+ return new SAMLLogoutProcessingFilter(successLogoutHandler(), logoutHandler());
+ }
+
+ @Bean
+ public SAMLLogoutFilter samlLogoutFilter() {
+ return new SAMLLogoutFilter(successLogoutHandler(),
+ new LogoutHandler[] { logoutHandler() },
+ new LogoutHandler[] { logoutHandler() });
+ }
+
+ @Bean
+ public HTTPPostBinding httpPostBinding() {
+ return new HTTPPostBinding(parserPool(), VelocityFactory.getEngine());
+ }
+
+ @Bean
+ public HTTPRedirectDeflateBinding httpRedirectDeflateBinding() {
+ return new HTTPRedirectDeflateBinding(parserPool());
+ }
+
+ @Bean
+ public SAMLProcessorImpl processor() {
+ ArrayList bindings = new ArrayList<>();
+ bindings.add(httpRedirectDeflateBinding());
+ bindings.add(httpPostBinding());
+ return new SAMLProcessorImpl(bindings);
+ }
+}
diff --git a/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/config/WebSecurityConfig.java b/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/config/WebSecurityConfig.java
new file mode 100644
index 0000000000..297c391823
--- /dev/null
+++ b/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/config/WebSecurityConfig.java
@@ -0,0 +1,152 @@
+package com.baeldung.saml.config;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.saml.*;
+import org.springframework.security.saml.key.KeyManager;
+import org.springframework.security.saml.metadata.*;
+import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.channel.ChannelProcessingFilter;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.csrf.CsrfFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+
+@Configuration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(securedEnabled = true)
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+ @Value("${saml.sp}")
+ private String samlAudience;
+
+ @Autowired
+ @Qualifier("saml")
+ private SavedRequestAwareAuthenticationSuccessHandler samlAuthSuccessHandler;
+
+ @Autowired
+ @Qualifier("saml")
+ private SimpleUrlAuthenticationFailureHandler samlAuthFailureHandler;
+
+ @Autowired
+ private SAMLEntryPoint samlEntryPoint;
+
+ @Autowired
+ private SAMLLogoutFilter samlLogoutFilter;
+
+ @Autowired
+ private SAMLLogoutProcessingFilter samlLogoutProcessingFilter;
+
+ @Bean
+ public SAMLDiscovery samlDiscovery() {
+ SAMLDiscovery idpDiscovery = new SAMLDiscovery();
+ return idpDiscovery;
+ }
+
+ @Autowired
+ private SAMLAuthenticationProvider samlAuthenticationProvider;
+
+ @Autowired
+ private ExtendedMetadata extendedMetadata;
+
+ @Autowired
+ private KeyManager keyManager;
+
+ public MetadataGenerator metadataGenerator() {
+ MetadataGenerator metadataGenerator = new MetadataGenerator();
+ metadataGenerator.setEntityId(samlAudience);
+ metadataGenerator.setExtendedMetadata(extendedMetadata);
+ metadataGenerator.setIncludeDiscoveryExtension(false);
+ metadataGenerator.setKeyManager(keyManager);
+ return metadataGenerator;
+ }
+
+ @Bean
+ public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
+ SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
+ samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager());
+ samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(samlAuthSuccessHandler);
+ samlWebSSOProcessingFilter.setAuthenticationFailureHandler(samlAuthFailureHandler);
+ return samlWebSSOProcessingFilter;
+ }
+
+ @Bean
+ public FilterChainProxy samlFilter() throws Exception {
+ List chains = new ArrayList<>();
+ chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"),
+ samlWebSSOProcessingFilter()));
+ chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/discovery/**"),
+ samlDiscovery()));
+ chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"),
+ samlEntryPoint));
+ chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"),
+ samlLogoutFilter));
+ chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"),
+ samlLogoutProcessingFilter));
+ return new FilterChainProxy(chains);
+ }
+
+ @Bean
+ @Override
+ public AuthenticationManager authenticationManagerBean() throws Exception {
+ return super.authenticationManagerBean();
+ }
+
+ @Bean
+ public MetadataGeneratorFilter metadataGeneratorFilter() {
+ return new MetadataGeneratorFilter(metadataGenerator());
+ }
+
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ http
+ .csrf()
+ .disable();
+
+ http
+ .httpBasic()
+ .authenticationEntryPoint(samlEntryPoint);
+
+ http
+ .addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
+ .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class)
+ .addFilterBefore(samlFilter(), CsrfFilter.class);
+
+ http
+ .authorizeRequests()
+ .antMatchers("/").permitAll()
+ .anyRequest().authenticated();
+
+ http
+ .logout()
+ .addLogoutHandler((request, response, authentication) -> {
+ try {
+ response.sendRedirect("/saml/logout");
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ });
+ }
+
+ @Override
+ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+ auth.authenticationProvider(samlAuthenticationProvider);
+ }
+
+}
diff --git a/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/controller/HomeController.java b/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/controller/HomeController.java
new file mode 100644
index 0000000000..e77933b8f3
--- /dev/null
+++ b/spring-security-modules/spring-security-saml/src/main/java/com/baeldung/saml/controller/HomeController.java
@@ -0,0 +1,35 @@
+package com.baeldung.saml.controller;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+@Controller
+public class HomeController {
+
+ @RequestMapping("/")
+ public String index() {
+ return "index";
+ }
+
+ @GetMapping(value = "/auth")
+ public String handleSamlAuth() {
+ Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+ if (auth != null) {
+ return "redirect:/home";
+ } else {
+ return "/";
+ }
+ }
+
+ @RequestMapping("/home")
+ public String home(Model model) {
+ Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+ model.addAttribute("username", authentication.getPrincipal());
+ return "home";
+ }
+
+}
diff --git a/spring-security-modules/spring-security-saml/src/main/resources/application.properties b/spring-security-modules/spring-security-saml/src/main/resources/application.properties
new file mode 100644
index 0000000000..f9d6a5df3c
--- /dev/null
+++ b/spring-security-modules/spring-security-saml/src/main/resources/application.properties
@@ -0,0 +1,6 @@
+saml.keystore.location=classpath:/saml/samlKeystore.jks
+saml.keystore.password=
+saml.keystore.alias=
+
+saml.idp=
+saml.sp=http://localhost:8080/saml/metadata
\ No newline at end of file
diff --git a/spring-security-modules/spring-security-saml/src/main/resources/saml/metadata/sso.xml b/spring-security-modules/spring-security-saml/src/main/resources/saml/metadata/sso.xml
new file mode 100644
index 0000000000..2d3258de12
--- /dev/null
+++ b/spring-security-modules/spring-security-saml/src/main/resources/saml/metadata/sso.xml
@@ -0,0 +1,44 @@
+
+
+
+
+
+
+ MIIDpDCCAoygAwIBAgIGAXGiSQ7ZMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
+ A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+ MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi05MjY2NjYxHDAaBgkqhkiG9w0BCQEW
+ DWluZm9Ab2t0YS5jb20wHhcNMjAwNDIyMTQyNjA5WhcNMzAwNDIyMTQyNzA5WjCBkjELMAkGA1UE
+ BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
+ BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtOTI2NjY2MRwwGgYJ
+ KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+ g1rQYYqeVx2gl/UUnLJzp5hrm06VOILJB9hIUmNqXgWV3UjzDq/zX0KW8MENjsO7+S8a+LLnYRkb
+ N5egH9FSt8AHtB1pmfXDtpUQmWe9yJbNxbCISoc6XzCmaRw3HRv9pK5SciIutciz9lvFaHMWAWtP
+ MmQSKdhMet52tuf6sTy4ODeXjyMnD9q5QOKww1SJ678wjHbGRRhNvCxvTSAH33sa4oNCf2RvP9hp
+ NiJRcYW9yLZXmZArPQOuAx5PIXfHhK2e4ac39YO4fgO7gwU5TZ+vL7o6iEmd9tk44PrND0ZV5yzZ
+ +Y33Hiun3fIiZu/nZZGUjm4k4exl8JJpwrVTHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBcfHcL
+ 2DjTjZGoANF4dPpGXTYdVnL/XzGiLS+3LR/HDrEz/EqsHouF40RnzdZ7Ax7RReKBYCUUqHpSE+LU
+ ductz2ANguzyseGEn72I4Ym4ytQWnFyTXeW+xI9CoCLGfOUhT1hlKjsu/qNM8qwKFPWkzQp7mDN8
+ S9MGhsnbiyeD/lceAEKw16Os73/sX2j7F+43WVCYRDCRB8pRIPfcqYLXUIUSstQlwEvCF7HyeO4+
+ jxKHA1tp9Cpmj7/VD9TE3fyvrbVmfjTbKjF7/0wYQNfbHDDko0ratDMAizG5/d3i9wk9KbGCHSxT
+ ph5nl1pdjKgAYPK0iNDnGCZbGKzXOrqV
+
+
+
+
+ urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+
+ urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+
+
+
+
+
\ No newline at end of file
diff --git a/spring-security-modules/spring-security-saml/src/main/resources/saml/samlKeystore.jks b/spring-security-modules/spring-security-saml/src/main/resources/saml/samlKeystore.jks
new file mode 100644
index 0000000000..7f3a5850d9
Binary files /dev/null and b/spring-security-modules/spring-security-saml/src/main/resources/saml/samlKeystore.jks differ
diff --git a/spring-security-modules/spring-security-saml/src/main/resources/templates/error.html b/spring-security-modules/spring-security-saml/src/main/resources/templates/error.html
new file mode 100644
index 0000000000..7223ee43fd
--- /dev/null
+++ b/spring-security-modules/spring-security-saml/src/main/resources/templates/error.html
@@ -0,0 +1,13 @@
+
+
+
+ Something went wrong
+
+
+
+ An error occurred
+
+
Welcome!
You are successfully logged in!
+ You are logged as null.
+
+ Logout
+
+
+
\ No newline at end of file
diff --git a/spring-security-modules/spring-security-saml/src/main/resources/templates/index.html b/spring-security-modules/spring-security-saml/src/main/resources/templates/index.html
new file mode 100644
index 0000000000..7999c2fded
--- /dev/null
+++ b/spring-security-modules/spring-security-saml/src/main/resources/templates/index.html
@@ -0,0 +1,10 @@
+
+
+
+Baeldung Spring Security SAML
+
+
+ Welcome to Baeldung Spring Security SAML
+ Login
+
+
\ No newline at end of file
diff --git a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/loginredirect/LoginPageInterceptor.java b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/loginredirect/LoginPageInterceptor.java
index aa93201f37..f08b824369 100644
--- a/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/loginredirect/LoginPageInterceptor.java
+++ b/spring-security-modules/spring-security-web-boot-2/src/main/java/com/baeldung/loginredirect/LoginPageInterceptor.java
@@ -1,16 +1,16 @@
package com.baeldung.loginredirect;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.http.HttpStatus;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.util.UrlPathHelper;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-class LoginPageInterceptor extends HandlerInterceptorAdapter {
+class LoginPageInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
diff --git a/spring-security-modules/spring-security-web-mvc/pom.xml b/spring-security-modules/spring-security-web-mvc/pom.xml
index 2651b3a0f2..b1e94b2db3 100644
--- a/spring-security-modules/spring-security-web-mvc/pom.xml
+++ b/spring-security-modules/spring-security-web-mvc/pom.xml
@@ -61,27 +61,6 @@
spring-boot-starter-test
test