Fix for CVE-2021-44228. Core libs have been updated. New test suite.

Dockerfile

@@ -1,6 +1,6 @@
 ############################################################################
 #                                                                          #
-# Copyright 2020 Vincenzo De Notaris                                       #
+# Copyright 2021 Vincenzo De Notaris                                       #
 #                                                                          #
 # Licensed under the Apache License, Version 2.0 (the "License");          #
 # you may not use this file except in compliance with the License.         #

Dockerfile.mvn

@@ -1,6 +1,6 @@
 ############################################################################
 #                                                                          #
-# Copyright 2020 Vincenzo De Notaris                                       #
+# Copyright 2021 Vincenzo De Notaris                                       #
 #                                                                          #
 # Licensed under the Apache License, Version 2.0 (the "License");          #
 # you may not use this file except in compliance with the License.         #

LICENSE

@@ -186,7 +186,7 @@ Apache License
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2020 Vincenzo De Notaris
+   Copyright 2021 Vincenzo De Notaris
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -20,8 +20,8 @@ This project represents a sample implementation of a **SAML 2.0 Service Provider
 
 - **Author:** Vincenzo De Notaris ([[email protected]](mailto:[email protected]))
 - **Website:** [www.vdenotaris.com](http://www.vdenotaris.com)
-- **Version:**  ` 2.3.1.RELEASE`
-- **Last update**: February 15th, 2020
+- **Version:**  ` 2.4.0.RELEASE`
+- **Last update**: December 19th, 2021
 
 Thanks to *Vladimír Schäfer* ([github.com/vschafer](https://github.com/vschafer)) for supporting my work.
 
@@ -39,6 +39,18 @@ Thanks to *Vladimír Schäfer* ([github.com/vschafer](https://github.com/vschafe
 
 ---------
 
+## Changelog [new]
+
+- Version `2.4.0.RELEASE`:
+-- Update to Spring Boot `2.6.1`
+-- Update to JUnit `5`
+-- Update to Log4J `2.17.0` (see: [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228))
+-- Update to Jackson `2.13.0`
+-- Update to Apache Commons `4.4`
+-- A circular reference exists between the beans `samlEntryPoint` and `samlIDPDiscovery` that depends on the original design of the core *Spring SAML extension* library.
+
+---------
+
 ## Walkthrough
 
 ### Run as Docker container
@@ -56,7 +68,7 @@ docker run -it --rm -p 8080:8080 -t vdenotaris/spring-saml-sp:latest
 or compile the code and run the application with Maven:
 
 ```
-docker run -it --rm -p 8080:8080 -t vdenotaris/spring-saml-sp:2.3.1-mvn-jdk-8
+docker run -it --rm -p 8080:8080 -t vdenotaris/spring-saml-sp:2.4.0-mvn-jdk-8
 ```
 
 *Note: the related Docker image is publicly available on [Docker Hub](https://hub.docker.com/r/vdenotaris/spring-saml-sp/).*
@@ -108,7 +120,7 @@ To update the SSOCircle certificates within the keystore, just run:
 
 ### License
 
-    Copyright 2020 Vincenzo De Notaris
+    Copyright 2021 Vincenzo De Notaris
 
 	Licensed under the Apache License, Version 2.0 (the "License");
 	you may not use this file except in compliance with the License.

pom.xml

@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.vdenotaris.spring</groupId>
     <artifactId>spring-boot-security-saml-sample</artifactId>
-    <version>2.3.1.RELEASE</version>
+    <version>2.4.0.RELEASE</version>
     <packaging>jar</packaging>
     <!-- Project description -->
     <name>Spring Boot sample SAML 2.0 Service Provider</name>
@@ -31,19 +31,21 @@
             <url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
         </license>
     </licenses>
-    <inceptionYear>2020</inceptionYear>
+    <inceptionYear>2021</inceptionYear>
     <properties>
         <java.version>1.8</java.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <start-class>com.vdenotaris.spring.boot.security.saml.web.Application</start-class>
-        <jackson.version>2.9.10</jackson.version>
+        <jackson.version>2.13.0</jackson.version>
+		<log4j2.version>2.17.0</log4j2.version>
     </properties>
     <!-- Inherit defaults from Spring Boot -->
     <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.2.4.RELEASE</version>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>2.6.1</version>
+		<relativePath/> <!-- lookup parent from repository -->
     </parent>
     <repositories>
         <repository>
@@ -110,9 +112,9 @@
             </exclusions>
         </dependency>
         <dependency>
-            <groupId>commons-collections</groupId>
-            <artifactId>commons-collections</artifactId>
-            <version>3.2.2</version>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+            <version>4.4</version>
         </dependency>
     </dependencies>
     <scm>

src/main/java/com/vdenotaris/spring/boot/security/saml/web/Application.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Vincenzo De Notaris
+ * Copyright 2021 Vincenzo De Notaris
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

src/main/java/com/vdenotaris/spring/boot/security/saml/web/config/MvcConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Vincenzo De Notaris
+ * Copyright 2021 Vincenzo De Notaris
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

src/main/java/com/vdenotaris/spring/boot/security/saml/web/config/WebSecurityConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Vincenzo De Notaris
+ * Copyright 2021 Vincenzo De Notaris
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -473,7 +473,7 @@ public AuthenticationManager authenticationManagerBean() throws Exception {
      * @param   http It allows configuring web based security for specific http requests.
      * @throws  Exception 
      */
-    @Override  
+    @Override 
     protected void configure(HttpSecurity http) throws Exception {
         http
             .httpBasic()

src/main/java/com/vdenotaris/spring/boot/security/saml/web/controllers/LandingController.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Vincenzo De Notaris
+ * Copyright 2021 Vincenzo De Notaris
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

src/main/java/com/vdenotaris/spring/boot/security/saml/web/controllers/SSOController.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Vincenzo De Notaris
+ * Copyright 2021 Vincenzo De Notaris
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

src/main/java/com/vdenotaris/spring/boot/security/saml/web/core/CurrentUserHandlerMethodArgumentResolver.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Vincenzo De Notaris
+ * Copyright 2021 Vincenzo De Notaris
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

src/main/java/com/vdenotaris/spring/boot/security/saml/web/core/SAMLUserDetailsServiceImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Vincenzo De Notaris
+ * Copyright 2021 Vincenzo De Notaris
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

src/main/java/com/vdenotaris/spring/boot/security/saml/web/stereotypes/CurrentUser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Vincenzo De Notaris
+ * Copyright 2021 Vincenzo De Notaris
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

src/main/resources/application.properties

@@ -1,4 +1,5 @@
 logging.level.org.springframework.security.saml=DEBUG
 logging.level.org.opensaml=DEBUG
 logging.level.com.vdenotaris.spring.boot.security.saml=DEBUG
-logging.file=logs/file.log
+logging.file=logs/file.log
+spring.main.allow-circular-references=TRUE

src/main/resources/templates/layout.html

@@ -1,6 +1,6 @@
 <!--
     Source: https://github.com/vdenotaris/spring-boot-security-saml-sample
-    Copyright 2020 Vincenzo De Notaris 
+    Copyright 2021 Vincenzo De Notaris 
     Licensed under the Apache License, Version 2.0 (the "License").
 -->
 
@@ -32,7 +32,7 @@
         <h6 class="mb-0 text-white lh-100">Spring Boot &mdash; SAML 2.0 Service Provider</h6>
         <small>
           <span class="badge badge-light">
-            <i class="fas fa-code-branch"></i> github.com/vdenotaris/spring-boot-security-saml-sample/tree/2.3.1.RELEASE
+            <i class="fas fa-code-branch"></i> github.com/vdenotaris/spring-boot-security-saml-sample/tree/2.4.0.RELEASE
           </span>
         </small>
       </div>
@@ -47,7 +47,7 @@ <h6 class="mb-0 text-white lh-100">Spring Boot &mdash; SAML 2.0 Service Provider
     <footer role="footer">
         <ul class="footer-note">
           <li>
-            <i class="far fa-copyright"></i> Copyright 2020 &mdash;
+            <i class="far fa-copyright"></i> Copyright 2021 &mdash;
             <i class="fab fa-linkedin"></i>
             <a href="https://www.linkedin.com/in/vdenotaris/">Vincenzo De Notaris</a>
           </li>

src/test/java/com/vdenotaris/spring/boot/security/saml/web/CommonTestSupport.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Vincenzo De Notaris
+ * Copyright 2021 Vincenzo De Notaris
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

src/test/java/com/vdenotaris/spring/boot/security/saml/web/TestConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Vincenzo De Notaris
+ * Copyright 2021 Vincenzo De Notaris
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

src/test/java/com/vdenotaris/spring/boot/security/saml/web/controllers/LandingControllerTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Vincenzo De Notaris
+ * Copyright 2021 Vincenzo De Notaris
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,16 +18,15 @@
 
 import com.vdenotaris.spring.boot.security.saml.web.CommonTestSupport;
 import com.vdenotaris.spring.boot.security.saml.web.TestConfig;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
-import org.mockito.MockitoAnnotations;
 import org.springframework.core.MethodParameter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.context.web.WebAppConfiguration;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.bind.support.WebDataBinderFactory;
@@ -42,7 +41,7 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
-@RunWith(SpringJUnit4ClassRunner.class)
+@ExtendWith(SpringExtension.class)
 @ContextConfiguration(classes = {TestConfig.class})
 @WebAppConfiguration
 public class LandingControllerTest extends CommonTestSupport {
@@ -55,17 +54,17 @@ public class LandingControllerTest extends CommonTestSupport {
 
     private MockMvc mockMvc;
 
-    @Before
+    @BeforeEach
     public void setUp()
     {
-        MockitoAnnotations.initMocks(this);
         mockMvc = standaloneSetup(landingController)
                 .setCustomArgumentResolvers(new MockArgumentResolver())
                 .setSingleView(mockView).build();
     }
 
     @Test
-    public void testAnonymousLanding() throws Exception {
+    public void testAnonymousLanding() throws Exception
+    {
         mockMvc.perform(get("/landing").session(mockHttpSession(true)))
                 .andExpect(status().isOk())
                 .andExpect(model().attribute("username", USER_NAME))

src/test/java/com/vdenotaris/spring/boot/security/saml/web/controllers/SSOControllerTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Vincenzo De Notaris
+ * Copyright 2021 Vincenzo De Notaris
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,16 +18,16 @@
 
 import com.vdenotaris.spring.boot.security.saml.web.CommonTestSupport;
 import com.vdenotaris.spring.boot.security.saml.web.TestConfig;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
-import org.mockito.MockitoAnnotations;
 import org.springframework.security.saml.metadata.MetadataManager;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.context.web.WebAppConfiguration;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.servlet.View;
@@ -44,7 +44,7 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
-@RunWith(SpringJUnit4ClassRunner.class)
+@ExtendWith(SpringExtension.class)
 @ContextConfiguration(classes = {TestConfig.class})
 @WebAppConfiguration
 public class SSOControllerTest extends CommonTestSupport {
@@ -64,10 +64,9 @@ public class SSOControllerTest extends CommonTestSupport {
 
     private MockMvc mockMvc;
 
-    @Before
+    @BeforeEach
     public void setUp()
     {
-        MockitoAnnotations.initMocks(this);
         mockMvc = standaloneSetup(ssoController).setSingleView(mockView).build();
     }