2024-04-29 15:01:22 -06:00
|
|
|
package stirling.software.SPDF.config.security;
|
|
|
|
|
|
|
|
|
|
import java.io.IOException;
|
2024-10-20 13:30:58 +02:00
|
|
|
import java.security.cert.X509Certificate;
|
|
|
|
|
import java.security.interfaces.RSAPrivateKey;
|
|
|
|
|
import java.util.ArrayList;
|
|
|
|
|
import java.util.List;
|
2024-04-29 15:01:22 -06:00
|
|
|
|
2024-10-20 13:30:58 +02:00
|
|
|
import org.springframework.core.io.Resource;
|
|
|
|
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
2024-04-29 15:01:22 -06:00
|
|
|
import org.springframework.security.core.Authentication;
|
2024-10-20 13:30:58 +02:00
|
|
|
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
|
|
|
|
|
import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
|
2024-04-29 15:01:22 -06:00
|
|
|
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
|
|
|
|
|
|
2024-10-20 13:30:58 +02:00
|
|
|
import com.coveo.saml.SamlClient;
|
2025-02-24 22:18:34 +00:00
|
|
|
import com.coveo.saml.SamlException;
|
2024-10-20 13:30:58 +02:00
|
|
|
|
2024-05-03 20:43:48 +01:00
|
|
|
import jakarta.servlet.http.HttpServletRequest;
|
|
|
|
|
import jakarta.servlet.http.HttpServletResponse;
|
2025-02-23 13:36:21 +00:00
|
|
|
|
2025-04-25 15:35:12 +02:00
|
|
|
import lombok.RequiredArgsConstructor;
|
2024-10-20 13:30:58 +02:00
|
|
|
import lombok.extern.slf4j.Slf4j;
|
2025-02-23 13:36:21 +00:00
|
|
|
|
2025-01-06 18:58:26 +00:00
|
|
|
import stirling.software.SPDF.SPDFApplication;
|
2024-10-20 13:30:58 +02:00
|
|
|
import stirling.software.SPDF.config.security.saml2.CertificateUtils;
|
|
|
|
|
import stirling.software.SPDF.config.security.saml2.CustomSaml2AuthenticatedPrincipal;
|
|
|
|
|
import stirling.software.SPDF.utils.UrlUtils;
|
2025-04-29 12:54:11 +01:00
|
|
|
import stirling.software.common.model.ApplicationProperties;
|
|
|
|
|
import stirling.software.common.model.ApplicationProperties.Security.OAUTH2;
|
|
|
|
|
import stirling.software.common.model.ApplicationProperties.Security.SAML2;
|
2025-04-28 17:36:27 +01:00
|
|
|
import stirling.software.common.model.provider.KeycloakProvider;
|
2024-05-03 20:43:48 +01:00
|
|
|
|
2024-10-20 13:30:58 +02:00
|
|
|
@Slf4j
|
2025-04-25 15:35:12 +02:00
|
|
|
@RequiredArgsConstructor
|
2024-05-03 20:43:48 +01:00
|
|
|
public class CustomLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
|
2024-05-12 19:58:34 +02:00
|
|
|
|
2025-02-24 22:18:34 +00:00
|
|
|
public static final String LOGOUT_PATH = "/login?logout=true";
|
|
|
|
|
|
2024-10-20 13:30:58 +02:00
|
|
|
private final ApplicationProperties applicationProperties;
|
|
|
|
|
|
2024-04-29 15:01:22 -06:00
|
|
|
@Override
|
2024-05-03 20:43:48 +01:00
|
|
|
public void onLogoutSuccess(
|
|
|
|
|
HttpServletRequest request, HttpServletResponse response, Authentication authentication)
|
2025-02-24 22:18:34 +00:00
|
|
|
throws IOException {
|
2024-10-20 13:30:58 +02:00
|
|
|
if (!response.isCommitted()) {
|
|
|
|
|
if (authentication != null) {
|
2025-02-25 22:31:50 +01:00
|
|
|
if (authentication instanceof Saml2Authentication samlAuthentication) {
|
2025-02-24 22:18:34 +00:00
|
|
|
// Handle SAML2 logout redirection
|
2025-02-25 22:31:50 +01:00
|
|
|
getRedirect_saml2(request, response, samlAuthentication);
|
|
|
|
|
} else if (authentication instanceof OAuth2AuthenticationToken oAuthToken) {
|
2025-02-24 22:18:34 +00:00
|
|
|
// Handle OAuth2 logout redirection
|
2025-02-25 22:31:50 +01:00
|
|
|
getRedirect_oauth2(request, response, oAuthToken);
|
2025-02-24 22:18:34 +00:00
|
|
|
} else if (authentication instanceof UsernamePasswordAuthenticationToken) {
|
|
|
|
|
// Handle Username/Password logout
|
|
|
|
|
getRedirectStrategy().sendRedirect(request, response, LOGOUT_PATH);
|
|
|
|
|
} else {
|
|
|
|
|
// Handle unknown authentication types
|
2024-10-20 13:30:58 +02:00
|
|
|
log.error(
|
2025-02-24 22:18:34 +00:00
|
|
|
"Authentication class unknown: {}",
|
|
|
|
|
authentication.getClass().getSimpleName());
|
|
|
|
|
getRedirectStrategy().sendRedirect(request, response, LOGOUT_PATH);
|
2024-10-20 13:30:58 +02:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
// Redirect to login page after logout
|
2025-02-24 22:18:34 +00:00
|
|
|
String path = checkForErrors(request);
|
|
|
|
|
getRedirectStrategy().sendRedirect(request, response, path);
|
2024-10-20 13:30:58 +02:00
|
|
|
}
|
2024-04-29 15:01:22 -06:00
|
|
|
}
|
2024-10-20 13:30:58 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Redirect for SAML2 authentication logout
|
|
|
|
|
private void getRedirect_saml2(
|
2025-02-25 22:31:50 +01:00
|
|
|
HttpServletRequest request,
|
|
|
|
|
HttpServletResponse response,
|
|
|
|
|
Saml2Authentication samlAuthentication)
|
2024-10-20 13:30:58 +02:00
|
|
|
throws IOException {
|
|
|
|
|
|
|
|
|
|
SAML2 samlConf = applicationProperties.getSecurity().getSaml2();
|
|
|
|
|
String registrationId = samlConf.getRegistrationId();
|
|
|
|
|
|
|
|
|
|
CustomSaml2AuthenticatedPrincipal principal =
|
|
|
|
|
(CustomSaml2AuthenticatedPrincipal) samlAuthentication.getPrincipal();
|
|
|
|
|
|
2025-02-24 22:18:34 +00:00
|
|
|
String nameIdValue = principal.name();
|
2024-10-20 13:30:58 +02:00
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
// Read certificate from the resource
|
|
|
|
|
Resource certificateResource = samlConf.getSpCert();
|
|
|
|
|
X509Certificate certificate = CertificateUtils.readCertificate(certificateResource);
|
|
|
|
|
|
|
|
|
|
List<X509Certificate> certificates = new ArrayList<>();
|
|
|
|
|
certificates.add(certificate);
|
|
|
|
|
|
|
|
|
|
// Construct URLs required for SAML configuration
|
2025-02-24 22:18:34 +00:00
|
|
|
SamlClient samlClient = getSamlClient(registrationId, samlConf, certificates);
|
2024-10-20 13:30:58 +02:00
|
|
|
|
|
|
|
|
// Read private key for service provider
|
|
|
|
|
Resource privateKeyResource = samlConf.getPrivateKey();
|
|
|
|
|
RSAPrivateKey privateKey = CertificateUtils.readPrivateKey(privateKeyResource);
|
|
|
|
|
|
|
|
|
|
// Set service provider keys for the SamlClient
|
|
|
|
|
samlClient.setSPKeys(certificate, privateKey);
|
|
|
|
|
|
|
|
|
|
// Redirect to identity provider for logout
|
|
|
|
|
samlClient.redirectToIdentityProvider(response, null, nameIdValue);
|
|
|
|
|
} catch (Exception e) {
|
2025-02-24 22:18:34 +00:00
|
|
|
log.error(
|
|
|
|
|
"Error retrieving logout URL from Provider {} for user {}",
|
|
|
|
|
samlConf.getProvider(),
|
|
|
|
|
nameIdValue,
|
|
|
|
|
e);
|
|
|
|
|
getRedirectStrategy().sendRedirect(request, response, LOGOUT_PATH);
|
2024-10-20 13:30:58 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Redirect for OAuth2 authentication logout
|
|
|
|
|
private void getRedirect_oauth2(
|
2025-02-25 22:31:50 +01:00
|
|
|
HttpServletRequest request,
|
|
|
|
|
HttpServletResponse response,
|
|
|
|
|
OAuth2AuthenticationToken oAuthToken)
|
2024-10-20 13:30:58 +02:00
|
|
|
throws IOException {
|
2025-02-24 22:18:34 +00:00
|
|
|
String registrationId;
|
2024-10-20 13:30:58 +02:00
|
|
|
OAUTH2 oauth = applicationProperties.getSecurity().getOauth2();
|
2025-02-24 22:18:34 +00:00
|
|
|
String path = checkForErrors(request);
|
2024-10-20 13:30:58 +02:00
|
|
|
|
2025-02-24 22:18:34 +00:00
|
|
|
String redirectUrl = UrlUtils.getOrigin(request) + "/login?" + path;
|
2025-02-25 22:31:50 +01:00
|
|
|
registrationId = oAuthToken.getAuthorizedClientRegistrationId();
|
2024-10-20 13:30:58 +02:00
|
|
|
|
|
|
|
|
// Redirect based on OAuth2 provider
|
|
|
|
|
switch (registrationId.toLowerCase()) {
|
2025-02-24 22:18:34 +00:00
|
|
|
case "keycloak" -> {
|
|
|
|
|
KeycloakProvider keycloak = oauth.getClient().getKeycloak();
|
2025-02-25 22:31:50 +01:00
|
|
|
|
|
|
|
|
boolean isKeycloak = !keycloak.getIssuer().isBlank();
|
|
|
|
|
boolean isCustomOAuth = !oauth.getIssuer().isBlank();
|
|
|
|
|
|
|
|
|
|
String logoutUrl = redirectUrl;
|
|
|
|
|
|
|
|
|
|
if (isKeycloak) {
|
|
|
|
|
logoutUrl = keycloak.getIssuer();
|
|
|
|
|
} else if (isCustomOAuth) {
|
|
|
|
|
logoutUrl = oauth.getIssuer();
|
|
|
|
|
}
|
|
|
|
|
if (isKeycloak || isCustomOAuth) {
|
|
|
|
|
logoutUrl +=
|
|
|
|
|
"/protocol/openid-connect/logout"
|
|
|
|
|
+ "?client_id="
|
|
|
|
|
+ oauth.getClientId()
|
|
|
|
|
+ "&post_logout_redirect_uri="
|
|
|
|
|
+ response.encodeRedirectURL(redirectUrl);
|
|
|
|
|
log.info("Redirecting to Keycloak logout URL: {}", logoutUrl);
|
|
|
|
|
} else {
|
|
|
|
|
log.info(
|
|
|
|
|
"No redirect URL for {} available. Redirecting to default logout URL: {}",
|
|
|
|
|
registrationId,
|
|
|
|
|
logoutUrl);
|
|
|
|
|
}
|
2024-10-20 13:30:58 +02:00
|
|
|
response.sendRedirect(logoutUrl);
|
2025-02-24 22:18:34 +00:00
|
|
|
}
|
|
|
|
|
case "github", "google" -> {
|
|
|
|
|
log.info(
|
|
|
|
|
"No redirect URL for {} available. Redirecting to default logout URL: {}",
|
|
|
|
|
registrationId,
|
|
|
|
|
redirectUrl);
|
|
|
|
|
response.sendRedirect(redirectUrl);
|
|
|
|
|
}
|
|
|
|
|
default -> {
|
|
|
|
|
log.info("Redirecting to default logout URL: {}", redirectUrl);
|
|
|
|
|
response.sendRedirect(redirectUrl);
|
|
|
|
|
}
|
2024-10-20 13:30:58 +02:00
|
|
|
}
|
|
|
|
|
}
|
2024-04-29 15:01:22 -06:00
|
|
|
|
2025-02-24 22:18:34 +00:00
|
|
|
private static SamlClient getSamlClient(
|
|
|
|
|
String registrationId, SAML2 samlConf, List<X509Certificate> certificates)
|
|
|
|
|
throws SamlException {
|
|
|
|
|
String serverUrl =
|
|
|
|
|
SPDFApplication.getStaticBaseUrl() + ":" + SPDFApplication.getStaticPort();
|
|
|
|
|
|
|
|
|
|
String relyingPartyIdentifier =
|
|
|
|
|
serverUrl + "/saml2/service-provider-metadata/" + registrationId;
|
|
|
|
|
|
|
|
|
|
String assertionConsumerServiceUrl = serverUrl + "/login/saml2/sso/" + registrationId;
|
|
|
|
|
|
|
|
|
|
String idpSLOUrl = samlConf.getIdpSingleLogoutUrl();
|
|
|
|
|
|
|
|
|
|
String idpIssuer = samlConf.getIdpIssuer();
|
|
|
|
|
|
|
|
|
|
// Create SamlClient instance for SAML logout
|
|
|
|
|
return new SamlClient(
|
|
|
|
|
relyingPartyIdentifier,
|
|
|
|
|
assertionConsumerServiceUrl,
|
|
|
|
|
idpSLOUrl,
|
|
|
|
|
idpIssuer,
|
|
|
|
|
certificates,
|
|
|
|
|
SamlClient.SamlIdpBinding.POST);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Handles different error scenarios during logout. Will return a <code>String</code> containing
|
|
|
|
|
* the error request parameter.
|
|
|
|
|
*
|
|
|
|
|
* @param request the user's <code>HttpServletRequest</code> request.
|
|
|
|
|
* @return a <code>String</code> containing the error request parameter.
|
|
|
|
|
*/
|
|
|
|
|
private String checkForErrors(HttpServletRequest request) {
|
|
|
|
|
String errorMessage;
|
|
|
|
|
String path = "logout=true";
|
|
|
|
|
|
|
|
|
|
if (request.getParameter("oAuth2AuthenticationErrorWeb") != null) {
|
|
|
|
|
path = "errorOAuth=userAlreadyExistsWeb";
|
|
|
|
|
} else if ((errorMessage = request.getParameter("errorOAuth")) != null) {
|
|
|
|
|
path = "errorOAuth=" + sanitizeInput(errorMessage);
|
|
|
|
|
} else if (request.getParameter("oAuth2AutoCreateDisabled") != null) {
|
|
|
|
|
path = "errorOAuth=oAuth2AutoCreateDisabled";
|
|
|
|
|
} else if (request.getParameter("oAuth2AdminBlockedUser") != null) {
|
|
|
|
|
path = "errorOAuth=oAuth2AdminBlockedUser";
|
|
|
|
|
} else if (request.getParameter("userIsDisabled") != null) {
|
|
|
|
|
path = "errorOAuth=userIsDisabled";
|
|
|
|
|
} else if ((errorMessage = request.getParameter("error")) != null) {
|
|
|
|
|
path = "errorOAuth=" + sanitizeInput(errorMessage);
|
|
|
|
|
} else if (request.getParameter("badCredentials") != null) {
|
|
|
|
|
path = "errorOAuth=badCredentials";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return path;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Sanitize input to avoid potential security vulnerabilities. Will return a sanitised <code>
|
|
|
|
|
* String</code>.
|
|
|
|
|
*
|
|
|
|
|
* @return a sanitised <code>String</code>
|
|
|
|
|
*/
|
2024-10-20 13:30:58 +02:00
|
|
|
private String sanitizeInput(String input) {
|
|
|
|
|
return input.replaceAll("[^a-zA-Z0-9 ]", "");
|
2024-04-29 15:01:22 -06:00
|
|
|
}
|
2024-05-03 20:43:48 +01:00
|
|
|
}
|
