Use RSA256 algorithm for SAML2 authN statement singing (#10387)

Before, defaulted to insecure SHA1 algorithm. SHA1 support was dropped by Keycloak v22.
cBioPortal · Oct 4, 2023 · f25e15a · f25e15a
1 parent 49c95f0
commit f25e15a
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/...src/main/java/org/cbioportal/security/spring/authentication/saml/SAMLBootstrapRSA256.java b/...src/main/java/org/cbioportal/security/spring/authentication/saml/SAMLBootstrapRSA256.java
@@ -0,0 +1,18 @@
+package org.cbioportal.security.spring.authentication.saml;
+
+import org.opensaml.Configuration;
+import org.opensaml.xml.security.BasicSecurityConfiguration;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.security.saml.SAMLBootstrap;
+
+public class SAMLBootstrapRSA256 extends SAMLBootstrap {
+        @Override
+        public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
+            super.postProcessBeanFactory(beanFactory);
+            BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
+            config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+            config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
+        }
+}
diff --git a/security/security-spring/src/main/resources/applicationContext-security.xml b/security/security-spring/src/main/resources/applicationContext-security.xml
@@ -349,6 +349,7 @@
                     <b:bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                         <b:property name="idpDiscoveryEnabled" value="true"/>
                         <b:property name="signMetadata" value="false"/>
+                        <b:property name="signingAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                     </b:bean>
                 </b:property>
             </b:bean>
@@ -498,7 +499,7 @@
     </b:bean>
 
     <!-- Initialization of OpenSAML library-->
-    <b:bean class="org.springframework.security.saml.SAMLBootstrap"/>
+    <b:bean class="org.cbioportal.security.spring.authentication.saml.SAMLBootstrapRSA256"/>
 
     <!-- Initialization of the velocity engine -->
     <b:bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>