Provide templating or extension to generate SAML2 POST form

[tkupka]

The Saml2WebSsoAuthenticationRequestFilter#createSamlPostRequestFormData(...) should allow to customize generated HTML form for SAML2 login request.

The Saml2WebSsoAuthenticationRequestFilter#createSamlPostRequestFormData(...) create a HTML form which is hardcoded. It should supports custom form generation by adding a templating or providing extension for custom implementation.
The existing implementation uses <body onload=\"document.forms[0].submit()\"> which is preventing for adopting stricter CSP see https://csp.withgoogle.com/docs/adopting-csp.html. The onLoad event handler must be added from extrenal js file.

[jzheaux]

@tkupka, thanks for the report.

I think Saml2WebSsoAuthenticationRequestFilter can be changed in the following way:

• Save the Saml2AuthenticationRequest to a request attribute
• Allow for configuring a custom forwarding URL
• If the custom forwarding URL is set, then the dispatcher forwards to that URL; otherwise the default HTML is used.

With this arrangement, you can introduce an endpoint that retrieves the Saml2AuthenticationRequest as a request attribute and render your own UI.

Does this sound like it would address your concerns? If so, are you able to submit a PR?

[tkupka]

Hello Josh,
the proposed solution is feasible but it looks slightly overcomplicated with custom forwarding URL which is responsible for rendering the UI. I looked through the code and the same issue might affect 3 places.

• Saml2WebSsoAuthenticationRequestFilter
• Saml2LogoutRequestFilter
• Saml2RelyingPartyInitiatedLogoutSuccessHandler

I had in the mind that instead of hardcoding the page content you might have freemarker template for example. The default would be included in the archive and custom one can be configured in the same way like forwarding URL (for all 3 places). This would give implementor easy way to change generated page with no additional code.

On the other hand the I see bigger flexibility with custom endpoint which renders the UI. But it requires overhead with coding custom endpoint(s).

What do you think about templating solution ? I can provide PR with the fix.

[jzheaux]

Thanks for the idea, @tkupka. I agree that using Freemarker could also achieve this; however, I don't want to introduce it as a Spring Security dependency. One reason for this is that applications often already have chosen a templating engine for other things, and it's not ideal that Spring Security might force them to bring in an additional one.

Are you okay with instead submitting a PR that supports the custom endpoint?

[tkupka]

OK I see your point it makes no sense to add new dependency just for that. Looking into opensaml-saml-impl I see that they similar approach with velocity template(s). Would it be an option?

##
## Velocity Template for SAML 2 HTTP-POST binding
##
## Velocity context may contain the following properties
## action - String - the action URL for the form
## binding - String - the SAML binding type in use
## RelayState - String - the relay state for the message
## SAMLRequest - String - the Base64 encoded SAML Request
## SAMLResponse - String - the Base64 encoded SAML Response
##
<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8" />
        #parse ( "/templates/add-html-head-content.vm" )
    </head>
    <body onload="document.forms[0].submit()">
        <noscript>
            <p>
                <strong>Note:</strong> Since your browser does not support JavaScript,
                you must press the Continue button once to proceed.
            </p>
        </noscript>
        
        <form action="${action}" method="post">
            <div>
                #if($RelayState)<input type="hidden" name="RelayState" value="${RelayState}"/>#end
                
                #if($SAMLRequest)<input type="hidden" name="SAMLRequest" value="${SAMLRequest}"/>#end
                
                #if($SAMLResponse)<input type="hidden" name="SAMLResponse" value="${SAMLResponse}"/>#end
                
            </div>
            <noscript>
                <div>
                    <input type="submit" value="Continue"/>
                </div>
            </noscript>
        </form>
        #parse ( "/templates/add-html-body-content.vm" )
    </body>
</html>