This doesn't seem to be the case. I've constructed an app with SPFilter and it still sends an unsigned request.
Looking at SPFilter, this seems to be caused by the following code:
if (!postMethod && !logOutRequest) { // Check if we are already authenticated if (userPrincipal != null) { filterChain.doFilter(servletRequest, servletResponse); return; }
// We need to send request to IDP if (userPrincipal == null) { String relayState = null; try { // TODO: use the handlers to generate the request AuthnRequestType authnRequest = createSAMLRequest(serviceURL, identityURL); sendRequestToIDP(authnRequest, relayState, response); }
catch (Exception e) { throw new ServletException(e); }
return; }
|