From f25e15aae2ae30e4b64626d6e6e644d60567d69d Mon Sep 17 00:00:00 2001
From: Pim van Nierop <pim@thehyve.nl>
Date: Wed, 4 Oct 2023 16:36:00 +0200
Subject: [PATCH] Use RSA256 algorithm for SAML2 authN statement singing
 (#10387)

Before, defaulted to insecure SHA1 algorithm. SHA1 support was dropped by Keycloak v22.
---
 .../saml/SAMLBootstrapRSA256.java              | 18 ++++++++++++++++++
 .../resources/applicationContext-security.xml  |  3 ++-
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 security/security-spring/src/main/java/org/cbioportal/security/spring/authentication/saml/SAMLBootstrapRSA256.java

diff --git a/security/security-spring/src/main/java/org/cbioportal/security/spring/authentication/saml/SAMLBootstrapRSA256.java b/security/security-spring/src/main/java/org/cbioportal/security/spring/authentication/saml/SAMLBootstrapRSA256.java
new file mode 100644
index 00000000000..d3184e39949
--- /dev/null
+++ b/security/security-spring/src/main/java/org/cbioportal/security/spring/authentication/saml/SAMLBootstrapRSA256.java
@@ -0,0 +1,18 @@
+package org.cbioportal.security.spring.authentication.saml;
+
+import org.opensaml.Configuration;
+import org.opensaml.xml.security.BasicSecurityConfiguration;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.security.saml.SAMLBootstrap;
+
+public class SAMLBootstrapRSA256 extends SAMLBootstrap {
+        @Override
+        public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
+            super.postProcessBeanFactory(beanFactory);
+            BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
+            config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+            config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
+        }
+}
diff --git a/security/security-spring/src/main/resources/applicationContext-security.xml b/security/security-spring/src/main/resources/applicationContext-security.xml
index 4861c75869c..ba581665c25 100644
--- a/security/security-spring/src/main/resources/applicationContext-security.xml
+++ b/security/security-spring/src/main/resources/applicationContext-security.xml
@@ -349,6 +349,7 @@
                     <b:bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                         <b:property name="idpDiscoveryEnabled" value="true"/>
                         <b:property name="signMetadata" value="false"/>
+                        <b:property name="signingAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                     </b:bean>
                 </b:property>
             </b:bean>
@@ -498,7 +499,7 @@
     </b:bean>
 
     <!-- Initialization of OpenSAML library-->
-    <b:bean class="org.springframework.security.saml.SAMLBootstrap"/>
+    <b:bean class="org.cbioportal.security.spring.authentication.saml.SAMLBootstrapRSA256"/>
 
     <!-- Initialization of the velocity engine -->
     <b:bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>