From 768d2d16a6df861fd79caa5b8b3fd1d8064ad201 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Fri, 2 Feb 2024 16:37:27 -0700 Subject: [PATCH] NOJIRA: Pac4J libs update Fixes for login with no valid role causing error loop and filter chain checks for static assets --- .../admin/ui/configuration/SpringSecurityConfig.java | 7 ++++++- .../net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java | 7 ++++++- .../pac4j/authenticator/ShibuiSAML2Authenticator.java | 3 +++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java index 8a3b6c292..c5933f880 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java @@ -157,7 +157,12 @@ public InMemoryUserDetailsManager userDetailsManager() { @Bean @Profile("!no-auth") public WebSecurityCustomizer webSecurityCustomizer() { - return (web) -> web.httpFirewall(allowUrlEncodedSlashHttpFirewall()); + return (web) -> web.ignoring().requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"), + new AntPathRequestMatcher("/entities/**/*"), + new AntPathRequestMatcher("/favicon.ico"), + new AntPathRequestMatcher("/assets/**/*.png"), + new AntPathRequestMatcher("/static/**/*"), + new AntPathRequestMatcher("/**/*.css")).and().httpFirewall(allowUrlEncodedSlashHttpFirewall()); } private HttpFirewall allowUrlEncodedSlashHttpFirewall() { diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java index 4f60c9925..6810b5ee9 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java @@ -125,6 +125,11 @@ public WebSecurityCustomizer webSecurityCustomizer() { firewall.setAllowUrlEncodedDoubleSlash(true); firewall.setAllowSemicolon(true); - return (web) -> web.httpFirewall(firewall); + return (web) -> web.ignoring().requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"), + new AntPathRequestMatcher("/entities/**/*"), + new AntPathRequestMatcher("/favicon.ico"), + new AntPathRequestMatcher("/assets/**/*.png"), + new AntPathRequestMatcher("/static/**/*"), + new AntPathRequestMatcher("/**/*.css")).and().httpFirewall(firewall); } } \ No newline at end of file diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiSAML2Authenticator.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiSAML2Authenticator.java index 4219112be..c0ef2073b 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiSAML2Authenticator.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/authenticator/ShibuiSAML2Authenticator.java @@ -27,6 +27,9 @@ public Optional validate(CallContext ctx, Credentials credentials) Optional validatedCreds = super.validate(ctx, credentials); validatedCreds.ifPresent(creds -> { CommonProfile profile = (CommonProfile) creds.getUserProfile(); + if (profile == null) { + return; + } profile.setRoles(userService.getUserRoles(profile.getUsername())); creds.setUserProfile(profile); userService.updateLoginRecord(profile.getUsername());