Merge branch '5.8.x' into 6.0.x

Closes gh-12459
spring-projects · Dec 23, 2022 · 9c0a35a · 9c0a35a
2 parents 4551025 + fda0e9a
commit 9c0a35a
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/...ework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java b/...ework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
@@ -23,6 +23,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.function.Consumer;
@@ -674,7 +675,7 @@ private static Map<String, List<Object>> getAssertionAttributes(Assertion assert
 				attributeMap.addAll(attribute.getName(), attributeValues);
 			}
 		}
-		return attributeMap;
+		return new LinkedHashMap<>(attributeMap); // gh-11785
 	}
 
 	private static List<String> getSessionIndexes(Assertion assertion) {

diff --git a/.../security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java b/.../security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java
@@ -32,6 +32,7 @@
 
 import javax.xml.namespace.QName;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import net.shibboleth.utilities.java.support.xml.SerializeSupport;
 import org.junit.jupiter.api.Test;
 import org.opensaml.core.xml.XMLObject;
@@ -68,6 +69,7 @@
 
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.jackson2.SecurityJackson2Modules;
 import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
@@ -349,6 +351,23 @@ public void authenticateWhenAssertionContainsAttributesThenItSucceeds() {
 		assertThat(principal.getSessionIndexes()).contains("session-index");
 	}
 
+	// gh-11785
+	@Test
+	public void deserializeWhenAssertionContainsAttributesThenWorks() throws Exception {
+		ObjectMapper mapper = new ObjectMapper();
+		ClassLoader loader = getClass().getClassLoader();
+		mapper.registerModules(SecurityJackson2Modules.getModules(loader));
+		Response response = response();
+		Assertion assertion = assertion();
+		List<AttributeStatement> attributes = TestOpenSamlObjects.attributeStatements();
+		assertion.getAttributeStatements().addAll(attributes);
+		response.getAssertions().add(signed(assertion));
+		Saml2AuthenticationToken token = token(response, verifying(registration()));
+		Authentication authentication = this.provider.authenticate(token);
+		String result = mapper.writeValueAsString(authentication);
+		mapper.readValue(result, Authentication.class);
+	}
+
 	@Test
 	public void authenticateWhenAssertionContainsCustomAttributesThenItSucceeds() {
 		Response response = response();