SAML: Show error when user doesn't have access to app

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/AuthenticationFailureHandler.java

@@ -0,0 +1,52 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2020 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.auth.impl.saml;
+
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.saml.SAMLStatusException;
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class AuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler  {
+
+    public void onAuthenticationFailure(HttpServletRequest request,
+                                        HttpServletResponse response, AuthenticationException exception)
+            throws IOException, ServletException {
+
+
+        if (exception.getCause() instanceof SAMLStatusException) {
+            SAMLStatusException samlException = (SAMLStatusException) exception.getCause();
+
+            if (samlException.getStatusCode().equals("urn:oasis:names:tc:SAML:2.0:status:RequestDenied")) {
+                response.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path("/app-access-denied").build().toUriString());
+                return;
+            }
+        }
+
+        super.onAuthenticationFailure(request, response, exception);
+    }
+
+}

src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java

@@ -311,7 +311,7 @@ public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
 
 	@Bean
 	public SimpleUrlAuthenticationFailureHandler authenticationFailureHandler() {
-		SimpleUrlAuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
+		AuthenticationFailureHandler failureHandler = new AuthenticationFailureHandler();
 		failureHandler.setUseForward(true);
 		failureHandler.setDefaultFailureUrl("/error");
 		return failureHandler;

src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java

@@ -20,13 +20,10 @@
  */
 package eu.openanalytics.containerproxy.security;
 
-import java.util.List;
-
-import javax.inject.Inject;
-
+import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
+import eu.openanalytics.containerproxy.auth.UserLogoutHandler;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.Environment;
@@ -43,8 +40,8 @@
 import org.springframework.security.web.header.writers.StaticHeadersWriter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
-import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
-import eu.openanalytics.containerproxy.auth.UserLogoutHandler;
+import javax.inject.Inject;
+import java.util.List;
 
 @Configuration
 @EnableWebSecurity
@@ -61,7 +58,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
 	@Inject
 	private Environment environment;
-	
+
 	@Autowired(required=false)
 	private List<ICustomSecurityConfig> customConfigs;
 
@@ -128,8 +125,8 @@ protected void configure(HttpSecurity http) throws Exception {
 
 		if (auth.hasAuthorization()) {
 			http.authorizeRequests().antMatchers(
-						"/login", "/signin/**", "/auth-error", "/logout-success",
-						"/favicon.ico", "/css/**", "/img/**", "/js/**", "/assets/**", "/webjars/**").permitAll();
+					"/login", "/signin/**", "/auth-error", "/app-access-denied", "/logout-success",
+					"/favicon.ico", "/css/**", "/img/**", "/js/**", "/assets/**", "/webjars/**").permitAll();
 			http
 				.formLogin()
 					.loginPage("/login")

src/main/java/eu/openanalytics/containerproxy/service/UserService.java

@@ -188,6 +188,7 @@ public void logout(Authentication auth) {
 		eventService.post(EventType.Logout.toString(), userId, null);
 		if (logoutStrategy != null) logoutStrategy.onLogout(userId);
 		log.info(String.format("User logged out [user: %s]", userId));
+
 	}
 
 }

src/main/java/eu/openanalytics/containerproxy/ui/AuthErrorController.java renamed to src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java

@@ -32,7 +32,7 @@
 import eu.openanalytics.containerproxy.api.BaseController;
 
 @Controller
-public class AuthErrorController extends BaseController {
+public class AuthController extends BaseController {
 
 	@Inject
 	private Environment environment;
@@ -43,4 +43,9 @@ public String getAuthErrorPage(ModelMap map, HttpServletRequest request) {
 		return "auth-error";
 	}
 
+	@RequestMapping(value = "/app-access-denied", method = RequestMethod.GET)
+	public String getAppAccessDeniedPage(ModelMap map, HttpServletRequest request) {
+		return "app-access-denied";
+	}
+
 }

src/main/resources/templates/app-access-denied.html

@@ -0,0 +1,55 @@
+<!--
+
+    ContainerProxy
+
+    Copyright (C) 2016-2020 Open Analytics
+
+    ===========================================================================
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the Apache License as published by
+    The Apache Software Foundation, either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    Apache License for more details.
+
+    You should have received a copy of the Apache License
+    along with this program.  If not, see <http://www.apache.org/licenses/>
+
+-->
+<!DOCTYPE html>
+<html
+	xmlns:th="http://www.thymeleaf.org"
+	xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
+
+<head lang="en">
+	<title th:text="${title}"></title>
+	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+	<link rel="stylesheet" media="screen" th:href="@{/webjars/bootstrap/3.4.1/css/bootstrap.min.css}"/>
+	<link rel="stylesheet" media="screen" th:href="@{/css/login.css}"/>
+	<link rel="stylesheet" media="screen" type="text/css" href="https://cdn.jsdelivr.net/bootstrap-social/5.1.1/bootstrap-social.css"/>
+	<link rel="stylesheet" media="screen" type="text/css" href="https://cdn.jsdelivr.net/fontawesome/4.7.0/css/font-awesome.min.css"/>
+	<script th:src="@{/webjars/jquery/3.5.0/jquery.min.js}"></script>
+	<script th:src="@{/webjars/bootstrap/3.4.1/js/bootstrap.min.js}"></script>
+</head>
+
+<body>
+	<div class="container">
+		<h2>You do not have access to this application.</h2>
+		<p>Your account does not have the required roles or groups required for accessing this application.</p>
+		<p>Please contact your administrator if you believe this is a mistake.</p>
+	</div>
+
+<style>
+h2 {
+    margin-bottom: 20px;
+    margin-top: 20px;
+}
+</style>
+	
+</body>
+
+</html>