SHIBUI-2333

Added logic to correctly support IDP logout Former-commit-id: 3c212397b7c31755739ef36aaaa9b7cce65cebce
TIER · Aug 15, 2022 · 6fd4e8d · 6fd4e8d
1 parent 3f15969
commit 6fd4e8d
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml
@@ -22,6 +22,7 @@
 #    identityProviderMetadataPath: "/etc/shibui/idp-metadata.xml"
 #    forceServiceProviderMetadataGeneration: false
 #    callbackUrl: "https://localhost:8443/callback"
+#    postLogoutURL: "https://idp.example.com/idp/profile/Logout"  # Must set this to get IDP logout
 #    maximumAuthenticationLifetime: 3600000
 #    requireAssertedRoleForNewUsers: false
 #    saml2ProfileMapping:

diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
@@ -66,19 +66,20 @@ public Pac4jWebSecurityConfigurerAdapter(final Config config, UserService userSe
         protected void configure(HttpSecurity http) throws Exception {
             http.authorizeRequests().antMatchers("/unsecured/**/*").permitAll();
 
-            // adding the authorizor bypasses the default behavior of checking CSRF in Pac4J's default securitylogic+defaultauthorizationchecker
+            // adding the authorizer bypasses the default behavior of checking CSRF in Pac4J's default securitylogic+defaultauthorizationchecker
             final SecurityFilter securityFilter = new SecurityFilter(this.config, PAC4J_CLIENT_NAME, DefaultAuthorizers.IS_AUTHENTICATED);
 
-            final LogoutFilter logoutFilter = new LogoutFilter(config);
-            logoutFilter.setLocalLogout(Boolean.TRUE);
+            // If the post logout URL is configured, setup the logout filter
             if (StringUtils.isNotEmpty(pac4jConfigurationProperties.getPostLogoutURL())){
+                final LogoutFilter logoutFilter = new LogoutFilter(config);
+                logoutFilter.setLocalLogout(Boolean.TRUE);
                 logoutFilter.setSuffix("login"); // "logout" is redirected before we ever hit the filters - sent to /login?logout
                 logoutFilter.setCentralLogout(Boolean.TRUE);
                 logoutFilter.setDefaultUrl(pac4jConfigurationProperties.getPostLogoutURL());
+                http.antMatcher("/**").addFilterBefore(logoutFilter, BasicAuthenticationFilter.class);
             }
 
             // add filters
-            http.antMatcher("/**").addFilterBefore(logoutFilter, BasicAuthenticationFilter.class);
             http.antMatcher("/**").addFilterBefore(getFilter(pac4jConfigurationProperties.getTypeOfAuth()), BasicAuthenticationFilter.class);
             http.antMatcher("/**").addFilterBefore(securityFilter, BasicAuthenticationFilter.class);