SAML Http Request Intercept with Spring Boot

Question

In reference to this SO question Add request parameter to SAML request using Spring Security SAML

I am wanting to replace the default HTTPRedirectDeflateBinding bean with my own that has a custom HTTPRedirectDeflateEncoder to add query params to my SAML request.

I'm trying to achieve this with the Spring Boot @Bean auto-configuration annotation and being new to the Java environment I can't seem to get it working right. I can see that my bean is registering on startup but the outbound HTTP request is not being intercepted by it and it appears the original redirectBinding still is.

Here is my bean I added into my Configuration class:

@Bean(name="redirectBinding")
@Primary
public HTTPRedirectDeflateBinding HTTPRedirectDeflateBinding() {
    return new HTTPRedirectDeflateBinding(null, new My_SAML_HttpRedirectDeflateEncoder());
}

Here is my encoder I'm trying to pass into the redirect binding

public class My_SAML_HttpRedirectDeflateEncoder extends HTTPRedirectDeflateEncoder {

    @Override
    protected String buildRedirectURL(SAMLMessageContext messagesContext, String endpointURL, String message)
            throws MessageEncodingException {
        URLBuilder urlBuilder = new URLBuilder(endpointURL);
        List<Pair<String, String>> queryParams = urlBuilder.getQueryParams();
        
        if (messagesContext.getOutboundSAMLMessage() instanceof RequestAbstractType) {
            queryParams.add(new Pair<String, String>("service", "myService"));
            queryParams.add(new Pair<String, String>("serviceType", "dev"));
        }
        
        return urlBuilder.buildURL();
    }
}

I also attempted the solution proposed from this SO response Spring Boot Adding Http Request Interceptors Similar results, my HandlerInterceptor bean was registered but nothing is being intercepted. I feel like I'm missing a small detail. Any help would be appreciated.

Answer 1

1.I think you need to use the super method buildRedirectURL and then add stripped or your custom query params, like this:

@Override
protected String buildRedirectURL(SAMLMessageContext messagesContext, String endpointURL, String message) throws MessageEncodingException {
    URLBuilder redirectUrlBuilder = new URLBuilder(super.buildRedirectURL(messagesContext, endpointURL, message));
    List<Pair<String, String>> queryParams = redirectUrlBuilder.getQueryParams();
    queryParams.addAll(new URLBuilder(endpointURL).getQueryParams());// add stripped query params
    return redirectUrlBuilder.buildURL();
}

2.I am not sure if it fine to pass the null to the HTTPRedirectDeflateBinding as decoder. Alternative would suggest to use the default decoder, which accepts ParserPool.