add SAML logout support

max1 · LEDfan · commit bc1fed7b5f74 · 2021-01-15T10:44:06.000+01:00
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/SAMLAuthenticationBackend.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/SAMLAuthenticationBackend.java
@@ -79,6 +79,9 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon
 			.addFilterBefore(metadataGeneratorFilter, ChannelProcessingFilter.class)
 			.addFilterAfter(metadataDisplayFilter, MetadataGeneratorFilter.class)
 			.addFilterAfter(samlFilter, BasicAuthenticationFilter.class);
+		http
+				.logout()
+				.disable();
 	}
 
 	@Override
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java
@@ -20,6 +20,7 @@
  */
 package eu.openanalytics.containerproxy.auth.impl.saml;
 
+import eu.openanalytics.containerproxy.auth.UserLogoutHandler;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -58,6 +59,7 @@
 import org.springframework.security.saml.SAMLBootstrap;
 import org.springframework.security.saml.SAMLCredential;
 import org.springframework.security.saml.SAMLEntryPoint;
+import org.springframework.security.saml.SAMLLogoutFilter;
 import org.springframework.security.saml.SAMLProcessingFilter;
 import org.springframework.security.saml.context.SAMLContextProvider;
 import org.springframework.security.saml.context.SAMLContextProviderImpl;
@@ -73,6 +75,8 @@
 import org.springframework.security.saml.processor.SAMLProcessorImpl;
 import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
 import org.springframework.security.saml.util.VelocityFactory;
+import org.springframework.security.saml.websso.SingleLogoutProfile;
+import org.springframework.security.saml.websso.SingleLogoutProfileImpl;
 import org.springframework.security.saml.websso.WebSSOProfile;
 import org.springframework.security.saml.websso.WebSSOProfileConsumer;
 import org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl;
@@ -84,6 +88,9 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
+import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 @Configuration
@@ -98,13 +105,43 @@ public class SAMLConfiguration {
 	@Inject
 	@Lazy
 	private AuthenticationManager authenticationManager;
+
+	@Inject
+	private UserLogoutHandler userLogoutHandler;
 	
 	@Bean
 	public SAMLEntryPoint samlEntryPoint() {
 		SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
 		samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
 		return samlEntryPoint;
 	}
+
+	@Bean
+	public SingleLogoutProfile logoutProfile() {
+		return new SingleLogoutProfileImpl();
+	}
+
+	@Bean
+	public SAMLLogoutFilter samlLogoutFilter() {
+		return new SAMLLogoutFilter(successLogoutHandler(),
+				new LogoutHandler[]{userLogoutHandler, securityContextLogoutHandler()},
+				new LogoutHandler[]{userLogoutHandler, securityContextLogoutHandler()});
+	}
+
+	@Bean
+	public SecurityContextLogoutHandler securityContextLogoutHandler() {
+		SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler();
+		logoutHandler.setInvalidateHttpSession(true);
+		logoutHandler.setClearAuthentication(true);
+		return logoutHandler;
+	}
+
+	@Bean
+	public SimpleUrlLogoutSuccessHandler successLogoutHandler() {
+		SimpleUrlLogoutSuccessHandler successLogoutHandler = new SimpleUrlLogoutSuccessHandler();
+		successLogoutHandler.setDefaultTargetUrl("/");
+		return successLogoutHandler;
+	}
 	
 	@Bean
 	public WebSSOProfileOptions defaultWebSSOProfileOptions() {
@@ -284,6 +321,7 @@ public WebSSOProfileConsumerHoKImpl hokWebSSOprofileConsumer() {
 	public SAMLFilterSet samlFilter() throws Exception {
 		List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>();
 		chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint()));
+		chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter()));
 		chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter()));
 		return new SAMLFilterSet(chains);
 	}

Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,9 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon`
`79`	`79`	`.addFilterBefore(metadataGeneratorFilter, ChannelProcessingFilter.class)`
`80`	`80`	`.addFilterAfter(metadataDisplayFilter, MetadataGeneratorFilter.class)`
`81`	`81`	`.addFilterAfter(samlFilter, BasicAuthenticationFilter.class);`
	`82`	`+ http`
	`83`	`+ .logout()`
	`84`	`+ .disable();`
`82`	`85`	`}`
`83`	`86`
`84`	`87`	`@Override`