From c3595425d3a9fb03888b4338648ea835a3ab2bfe Mon Sep 17 00:00:00 2001 From: chasegawa Date: Tue, 30 Jan 2024 11:49:26 -0700 Subject: [PATCH] NOJIRA: Pac4J libs update Updates for Pac4J updates to current release --- .../admin/ui/ShibbolethUiApplication.java | 2 +- .../src/main/resources/application.properties | 2 +- gradle.properties | 2 +- .../pac4j/Pac4jSpringSecurityConfig.java | 2 +- .../shibui/pac4j/ShibuiCallbackFilter.java | 20 +++++++++++-- .../shibui/pac4j/ShibuiLogoutFilter.java | 30 ++++++++----------- .../shibui/pac4j/ShibuiSAML2Client.java | 1 + 7 files changed, 35 insertions(+), 24 deletions(-) diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/ShibbolethUiApplication.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/ShibbolethUiApplication.java index e706f1b45..e8a6042da 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/ShibbolethUiApplication.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/ShibbolethUiApplication.java @@ -32,7 +32,7 @@ @EnableJpaAuditing @EnableScheduling @EnableAsync -@OpenAPIDefinition(info=@Info(description = "The Shibboleth UI is specifically designed to help manage and edit metadata-driven configuration support for Shibboleth", title = "Shibboleth UI API", version = "1.0")) +@OpenAPIDefinition(info=@Info(description = "The SAML Metadata Configuration Manager is specifically designed to help manage and edit metadata-driven configuration support", title = "SAML Metadata Configuration Manager API", version = "2.0")) public class ShibbolethUiApplication extends SpringBootServletInitializer { private static final Logger logger = LoggerFactory.getLogger(ShibbolethUiApplication.class); diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties index c2845b54e..32b4833f0 100644 --- a/backend/src/main/resources/application.properties +++ b/backend/src/main/resources/application.properties @@ -128,7 +128,7 @@ shibui.pac4j-enabled=false #environment variables must be set for beacon publisher to be used (the ones that are set when running shib-ui in #docker container shibui.beacon.enabled=true -shibui.beacon.productName=ShibUi +shibui.beacon.productName=SAML Metadata Configuration Manager shibui.beacon.installationID=UNICON-SHIBUI-TESTING shibui.beacon.url=http://collector.testbed.tier.internet2.edu:5001 #shibui.beacon.send.cron=0 59 3 * * ? diff --git a/gradle.properties b/gradle.properties index d8f018833..3878efcda 100644 --- a/gradle.properties +++ b/gradle.properties @@ -17,7 +17,7 @@ nashornVersion=15.4 opencsvVersion=5.7.1 opensamlVersion=5.0.0 pac4JVersion=6.0.0 -pac4jSpringSecurityVersion=9.0.0 +pac4jSpringSecurityVersion=10.0.0 seleneseRunnerVersion=4.3.0 shedlockVersion=5.2.0 shibbolethVersion=5.0.0 diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java index 2964aca93..dd38001bf 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java @@ -86,7 +86,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { logoutFilter.setCentralLogout(Boolean.TRUE); logoutFilter.setDefaultUrl(pac4jConfigurationProperties.getPostLogoutURL()); logoutFilter.setDestroySession(true); - http.securityMatcher("/login*", "/logout").addFilterBefore((Filter) logoutFilter, BasicAuthenticationFilter.class); + http.securityMatcher("/logout").addFilterBefore((Filter) logoutFilter, BasicAuthenticationFilter.class); } // add correct auth filter diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ShibuiCallbackFilter.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ShibuiCallbackFilter.java index 607b4521a..1963de981 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ShibuiCallbackFilter.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ShibuiCallbackFilter.java @@ -7,8 +7,13 @@ import jakarta.servlet.http.HttpServletResponse; import org.pac4j.core.adapter.FrameworkAdapter; import org.pac4j.core.config.Config; +import org.pac4j.core.context.CallContext; import org.pac4j.core.context.WebContext; import org.pac4j.core.context.WebContextFactory; +import org.pac4j.core.engine.DefaultCallbackLogic; +import org.pac4j.core.exception.http.FoundAction; +import org.pac4j.core.exception.http.HttpAction; +import org.pac4j.core.exception.http.SeeOtherAction; import org.pac4j.core.util.CommonHelper; import org.pac4j.core.util.Pac4jConstants; import org.pac4j.jee.config.AbstractConfigFilter; @@ -30,18 +35,29 @@ */ public class ShibuiCallbackFilter extends AbstractConfigFilter { private String suffix = "/callback"; - private String defaultUrl; + private String defaultUrl = "/dashboard"; private Boolean renewSession; private String defaultClient; public ShibuiCallbackFilter(Config config) { + // Added this because we were seeing odd behavior where the favicon request was getting in the mix and the return to the + // dashboard url was getting lost. + config.setCallbackLogicIfUndefined(new DefaultCallbackLogic() { + @Override + protected HttpAction redirectToOriginallyRequestedUrl(CallContext ctx, String defaultUrl) { + HttpAction action = super.redirectToOriginallyRequestedUrl(ctx, defaultUrl); + if (action instanceof SeeOtherAction && ((SeeOtherAction) action).getLocation().contains("favicon")) { + return new FoundAction(defaultUrl); + } + return action; + } + }); setConfig(config); } @Override public void init(final FilterConfig filterConfig) throws ServletException { super.init(filterConfig); - this.defaultUrl = getStringParam(filterConfig, Pac4jConstants.DEFAULT_URL, this.defaultUrl); this.renewSession = getBooleanParam(filterConfig, Pac4jConstants.RENEW_SESSION, this.renewSession); this.defaultClient = getStringParam(filterConfig, Pac4jConstants.DEFAULT_CLIENT, this.defaultClient); } diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ShibuiLogoutFilter.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ShibuiLogoutFilter.java index 6aa6c17ca..4ad6e3ac4 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ShibuiLogoutFilter.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ShibuiLogoutFilter.java @@ -31,15 +31,14 @@ * LogoutFilter was part of the jakartee-pac4j stuff - there were a number of changes when Pac4J shifted to v6 (the j2ee stuff is now core * as pac4j-jakartee and its not at all confusing). * - * Essentially, we check to see if the filter matches the right pattern - this should be done by the Spring mechanisms, but the configured filters - * were still being called in the filter chain, so this logic was re-introduced here. This is essentially an expansion of - + * Essentially, we check to see if the filter matches the right pattern - because of how we re-rout "/logout" before it even gets to + * the filters, we have this filter in place to check for the "/login/logout" which will then do logout behaviors. + * This class is essentially a modification of - * https://github.com/pac4j/jee-pac4j/blob/master/jakartaee-pac4j/src/main/java/org/pac4j/jee/filter/LogoutFilter.java */ @Getter @Setter public class ShibuiLogoutFilter extends AbstractConfigFilter { - private final static String SUFFIX = "login"; // "logout" is redirected before we ever hit the filters - sent to /login?logout; - private String defaultUrl; private String logoutUrlPattern; private Boolean localLogout; @@ -50,17 +49,6 @@ public ShibuiLogoutFilter(Config config) { setConfig(config); } - private boolean mustApply(final WebContext context) { - final String path = context.getPath(); - logger.debug("path: {} | suffix: {}", path, SUFFIX); - - if (isBlank(SUFFIX)) { - return true; - } else { - return path != null && path.endsWith(SUFFIX); - } - } - @Override public void init(final FilterConfig filterConfig) throws ServletException { super.init(filterConfig); @@ -74,8 +62,14 @@ public void init(final FilterConfig filterConfig) throws ServletException { @Override protected void internalFilter(final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain) throws IOException, ServletException { - Config config = getSharedConfig(); - FrameworkAdapter.INSTANCE.applyDefaultSettingsIfUndefined(config); - config.getLogoutLogic().perform(config, defaultUrl, logoutUrlPattern, localLogout, destroySession, centralLogout, new JEEFrameworkParameters(request, response)); + // the actual "/logout url is redirected before the filters every get anything. It hits /login?logout - so this filter should only + // act when the QUERY STRING is "logout" + if (request.getQueryString() != null && request.getQueryString().endsWith("logout")) { + Config config = getSharedConfig(); + FrameworkAdapter.INSTANCE.applyDefaultSettingsIfUndefined(config); + config.getLogoutLogic().perform(config, defaultUrl, logoutUrlPattern, localLogout, destroySession, centralLogout, new JEEFrameworkParameters(request, response)); + } else { + chain.doFilter(request, response); + } } } \ No newline at end of file diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ShibuiSAML2Client.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ShibuiSAML2Client.java index 076e98b69..bbdcd4544 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ShibuiSAML2Client.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ShibuiSAML2Client.java @@ -41,6 +41,7 @@ private SAML2Configuration buildSaml2ConfigFromPac4JConfiguration(Pac4jConfigura saml2Config.setAttributeAsId(pac4jConfigProps.getSimpleProfileMapping().getUsername()); saml2Config.setPostLogoutURL(pac4jConfigProps.getPostLogoutURL()); saml2Config.setAuthnRequestBindingType("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"); + saml2Config.setCallbackUrl(pac4jConfigProps.getCallbackUrl()); return saml2Config; }