saveAuthenticationRequest should read relayState from authenticationRequest#18872
Open
therepanic wants to merge 1 commit intospring-projects:6.5.xfrom
Open
saveAuthenticationRequest should read relayState from authenticationRequest#18872therepanic wants to merge 1 commit intospring-projects:6.5.xfrom
saveAuthenticationRequest should read relayState from authenticationRequest#18872therepanic wants to merge 1 commit intospring-projects:6.5.xfrom
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
therepanic
commented
Mar 10, 2026
Comment on lines
+57
to
+60
| if (authenticationRequest == null) { | ||
| removeAuthenticationRequest(request, response); | ||
| return; | ||
| } |
Contributor
Author
There was a problem hiding this comment.
Contributor
Author
|
BTW, the mention of deletion and null was made not so long ago: e771ec0 I believe we reached this conclusion based on the logic of |
jzheaux
added
type: bug
Closes spring-projectsgh-18243 Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
jzheaux
approved these changes
Mar 11, 2026
| HttpServletRequest request, HttpServletResponse response) { | ||
| Assert.notNull(authenticationRequest, "authenticationRequest must not be null"); | ||
| String relayState = request.getParameter(Saml2ParameterNames.RELAY_STATE); | ||
| String relayState = authenticationRequest.getRelayState(); |
Contributor
jzheaux
changed the title
saveAuthenticationRequest to read relayState from authenticationRequestsaveAuthenticationRequest should read relayState from authenticationRequest
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I believe there are a number of design implementation mistakes in
CacheSaml2AuthenticationRequestRepository.One of them is that in
CacheSaml2AuthenticationRequest#saveAuthenticationRequest, ifauthenticationRequest == null, we cache the cache itself with a null value, whereas we should be removing it.Furthermore, I believe we should take the relay state directly from
authenticationRequestand not from request, since ourSaml2AuthenticationRequestResolvershould resolve and return an object that should be passed to our method.Closes: gh-18243