Improve SAML Logout

 1. add property proxy.saml.logout-method to decide between local and
    SAML logout.
    Local logout will simply clear the cookies and redirect the user to the
    proxy.saml.logout-url (see later).
    SAML logout will first go to the `/saml/logout` endpoint, which
    redirects you to the IDP. The IDP should redirect you then back to
    proxy.saml.logout-url.
 2. ensure proxy.saml.logout-url is also used by the `/saml/logout`
    endpoint.

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/auth/impl/SAMLAuthenticationBackend.java

@@ -43,8 +43,9 @@ public class SAMLAuthenticationBackend implements IAuthenticationBackend {
 
 	public static final String NAME = "saml";
 
-	private static final String PROP_LOGOUT_URL = "proxy.saml.logout-url";
-	
+	private static final String PROP_SUCCESS_LOGOUT_URL = "proxy.saml.logout-url";
+	private static final String PROP_SAML_LOGOUT_METHOD = "proxy.saml.logout-method";
+
 	@Autowired(required = false)
 	private SAMLEntryPoint samlEntryPoint;
 
@@ -90,17 +91,29 @@ public void configureAuthenticationManagerBuilder(AuthenticationManagerBuilder a
 
 	@Override
 	public String getLogoutURL() {
-		if (environment.getProperty(PROP_LOGOUT_URL) != null) {
+		LogoutMethod logoutMethod = environment.getProperty(PROP_SAML_LOGOUT_METHOD, LogoutMethod.class, LogoutMethod.LOCAL);
+		if (logoutMethod == LogoutMethod.LOCAL) {
 			return "/logout";
 		}
-		return "/saml/logout";
+		return "/saml/logout"; // LogoutMethod.SAML
 	}
 
 	@Override
 	public String getLogoutSuccessURL() {
-		String logoutURL = environment.getProperty(PROP_LOGOUT_URL);
-		System.out.println("LogoutURL: " + logoutURL);
-		if (logoutURL == null || logoutURL.trim().isEmpty()) logoutURL = "/";
+	    return determineLogoutSuccessURL(environment);
+	}
+
+	public static String determineLogoutSuccessURL(Environment environment) {
+		String logoutURL = environment.getProperty(PROP_SUCCESS_LOGOUT_URL);
+		if (logoutURL == null || logoutURL.trim().isEmpty()) {
+			logoutURL = "/";
+		}
 		return logoutURL;
 	}
+
+	private enum LogoutMethod {
+		LOCAL,
+		SAML
+	}
+
 }

src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java

@@ -31,6 +31,7 @@
 
 import javax.inject.Inject;
 
+import eu.openanalytics.containerproxy.auth.impl.SAMLAuthenticationBackend;
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -157,7 +158,7 @@ public SecurityContextLogoutHandler securityContextLogoutHandler() {
 	@Bean
 	public SimpleUrlLogoutSuccessHandler successLogoutHandler() {
 		SimpleUrlLogoutSuccessHandler successLogoutHandler = new SimpleUrlLogoutSuccessHandler();
-		successLogoutHandler.setDefaultTargetUrl("/");
+		successLogoutHandler.setDefaultTargetUrl(SAMLAuthenticationBackend.determineLogoutSuccessURL(environment));
 		return successLogoutHandler;
 	}
 

src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java

@@ -128,7 +128,7 @@ protected void configure(HttpSecurity http) throws Exception {
 
 		if (auth.hasAuthorization()) {
 			http.authorizeRequests().antMatchers(
-						"/login", "/signin/**", "/auth-error",
+						"/login", "/signin/**", "/auth-error", "/logout-success",
 						"/favicon.ico", "/css/**", "/img/**", "/js/**", "/assets/**", "/webjars/**").permitAll();
 			http
 				.formLogin()

src/main/java/eu/openanalytics/containerproxy/ui/LogoutSuccessController.java

@@ -0,0 +1,44 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2020 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.ui;
+
+import eu.openanalytics.containerproxy.api.BaseController;
+import org.springframework.core.env.Environment;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.ModelMap;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
+
+@Controller
+public class LogoutSuccessController extends BaseController {
+
+	@Inject
+	private Environment environment;
+
+	@RequestMapping(value = "/logout-success", method = RequestMethod.GET)
+	public String getAuthErrorPage() {
+		return "logout-success";
+	}
+
+}

src/main/resources/templates/logout-success.html

@@ -0,0 +1,54 @@
+<!--
+
+    ContainerProxy
+
+    Copyright (C) 2016-2020 Open Analytics
+
+    ===========================================================================
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the Apache License as published by
+    The Apache Software Foundation, either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    Apache License for more details.
+
+    You should have received a copy of the Apache License
+    along with this program.  If not, see <http://www.apache.org/licenses/>
+
+-->
+<!DOCTYPE html>
+<html
+	xmlns:th="http://www.thymeleaf.org"
+	xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
+
+<head lang="en">
+	<title th:text="${title}"></title>
+	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+	<link rel="stylesheet" media="screen" th:href="@{/webjars/bootstrap/3.4.1/css/bootstrap.min.css}"/>
+	<link rel="stylesheet" media="screen" th:href="@{/css/login.css}"/>
+	<link rel="stylesheet" media="screen" type="text/css" href="https://cdn.jsdelivr.net/bootstrap-social/5.1.1/bootstrap-social.css"/>
+	<link rel="stylesheet" media="screen" type="text/css" href="https://cdn.jsdelivr.net/fontawesome/4.7.0/css/font-awesome.min.css"/>
+	<script th:src="@{/webjars/jquery/3.5.0/jquery.min.js}"></script>
+	<script th:src="@{/webjars/bootstrap/3.4.1/js/bootstrap.min.js}"></script>
+</head>
+
+<body>
+	<div class="container">
+		<h2>You have been logged out successfully.</h2>
+		<p><a th:href="@{/}"><b>Login again</b></a></p>
+	</div>
+
+<style>
+h2 {
+    margin-bottom: 20px;
+    margin-top: 20px;
+}
+</style>
+	
+</body>
+
+</html>