spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Check for opensaml version on OpenSaml support classes

Open igorpele opened this issue 4 years ago • 3 comments

In OpenSaml support classes the Saml2VersionUtils class is used to check whether a supported version of OpenSaml is found on the classpath.

Closes gh-10567

igorpele avatar Jan 10 '22 22:01 igorpele

Hi @igorpele, just a heads up that we are discussing this solution and I should get back to you soon.

marcusdacoregio avatar Jan 28 '22 11:01 marcusdacoregio

Waiting for https://github.com/spring-projects/spring-security/pull/10817 to get merged, since the way to verify the OpenSAML version may change

marcusdacoregio avatar Mar 11 '22 13:03 marcusdacoregio

Hi @marcusdacoregio is this ok now? But I am not sure, as now if Version.getVersion() returns no value, Saml2VersionUtils.getVersion now returns the OPEN_SAML4_VERSION (4) which always be below 4.1.0 which is supported by spring-security? The "old" approach returned the accurate version of OpenSaml from classpath something like "4.0.1".

Or can I assume that if the class "org.opensaml.core.xml.persist.impl.PassthroughSourceStrategy" is present on the classpath that the OpenSaml version is higher than 4.1.0?

igorpele avatar Sep 14 '22 15:09 igorpele

Hey @igorpele, thanks for your contribution.

Unfortunately, this has not made it into our 5.8 release and we do not have another release planned for the 5.x line. In Spring Security 6, we are only using OpenSAML4, therefore there is no need for a version check.

We might still do something like this if we add OpenSAML5 #11658.

marcusdacoregio avatar Nov 03 '22 17:11 marcusdacoregio