Catch SAML CredentialsExpiredException

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/AuthenticationFailureHandler.java

@@ -20,7 +20,10 @@
  */
 package eu.openanalytics.containerproxy.auth.impl.saml;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.opensaml.common.SAMLException;
+import org.springframework.security.authentication.CredentialsExpiredException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContext;
@@ -34,11 +37,14 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import java.io.IOException;
+import java.util.Objects;
 
 import static eu.openanalytics.containerproxy.auth.impl.saml.AlreadyLoggedInFilter.REQ_PROP_AUTH_BEFORE_SSO;
 
 public class AuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
 
+    private final Logger logger = LogManager.getLogger(getClass());
+
     public void onAuthenticationFailure(HttpServletRequest request,
                                         HttpServletResponse response, AuthenticationException exception)
             throws IOException, ServletException {
@@ -59,6 +65,11 @@ public void onAuthenticationFailure(HttpServletRequest request,
                     || samlException.getMessage().startsWith("InResponseToField of the Response doesn't correspond to sent message"))
                     || samlException.getMessage().equals("Unsupported request")) {
                 response.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path("/").build().toUriString());
+                return;
+            } else if (samlException.getCause() instanceof CredentialsExpiredException) {
+                logger.warn("The credentials of the user has expired, this typically indicates a misconfiguration, see https://shinyproxy.io/faq/#the-credentials-of-the-user-expire-when-using-saml for more information!");
+                response.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path("/auth-error").build().toUriString());
+                return;
             }
         }
 

src/main/resources/templates/auth-error.html

@@ -39,8 +39,8 @@
 <body>
 	<div class="container">
 		<h2>An error occurred during the authentication procedure.</h2>
-		<p><b>If you are a user of <span th:text="${application_name}"></span>:</b> please report this issue to your administrator.</p>
-		<p><b>If you are an administrator of <span th:text="${application_name}"></span>:</b> this error page is typically shown because of an configuration error in the OpenID setup. See the ShinyProxy logs for more information.</p>
+		<p><b>If you are a user of <span th:text="${application_name}"></span>:</b> please report this issue to your administrator and try to log out from your Identity Provider.</p>
+		<p><b>If you are an administrator of <span th:text="${application_name}"></span>:</b> this error page is typically shown because of an configuration error in the authentication setup. See the ShinyProxy logs for more information.</p>
 	</div>
 
 <style>