Fix the SAML logout support in authentication delegation #6205
Conversation
|
Thank you. The puppeteer setup allows one to run many CAS servers in parallel. Look for the ""instances": 2," property in the script.json files and you'll find examples. I am not sure it makes sense in this case; just wanted to point that out it's possible. |
|
I didn't know about the "instances" option. I see that they can have different configurations as well. That's great! I will try to setup something to demonstrate the scenario. It would make the fix more obvious. |
| public String getSupplementedUrlExternalForm(final URL url) { | ||
| val externalForm = url.toExternalForm(); | ||
| if (externalForm.contains("?")) { | ||
| return externalForm + "&"; | ||
| } | ||
| return externalForm + "?"; | ||
| } |
There was a problem hiding this comment.
I would suggest that you modify the original function to handle this scenario, instead of a new one.
Also, this check if (externalForm.contains("?")) { is slightly strange. Would it make sense to see if the URL just ends with a ? ?
There was a problem hiding this comment.
In fact, the original function is already used in the casPropagateLogoutView.html to send the logout as an AJAX call:
$.ajax({
url: [[${@casThymeleafTemplatesDirector.getUrlExternalForm(entry.key.logoutUrl)}]],
dataType: 'jsonp',
async: true,
contentType: [[${entry.value.contentType}]]
, data: [[${entry.value.message}]]In that case, the additionnal ? or & is not necessary as the message is not sent in the request URL.
Though, I can supplement the original function and not create a new one.
About the test, it really is a contains and not only a endsWith as the logout URL can be for example: http://localhost:8080/cas/login?client_name=XXX.
There was a problem hiding this comment.
Thanks for the notes. "Fixing" the original function sounds better to me. It seems less code to manage and test and regardless of where it's used getUrlExternalForm should just behave more correctly.
leleuj
force-pushed
the
authndelegatsamllogout
branch
from
36efb71
to
061692c
Compare
|
@mmoayyed I struggled a bit in configuration, but I managed to add a Puppeteer test to confirm the fix. This is quite simple: localhost:8443 is the SAML server and localhost:8444 is the client. I call localhost:8444/login, delegates to localhost:8443/login and log in. |
|
Thanks much for working out the test. Please look at the failing tests; there seems to be at least 1 test case in this area that deals with SLO and redirect URLs that likely is broken. |
leleuj
force-pushed
the
authndelegatsamllogout
branch
from
9c224b8
to
f23e664
Compare
|
I guess you are referring to |
|
Indeed, the change in To be able to handle the front channel scenario in an iframe, we must destroy the SSO session related to the session index for the I'm not sure of the behavior of the @mmoayyed Any idea? |
Here is my use case: I have two CAS servers, the first one delegates the authentication to the second one acting as a SAML IdP. The first CAS server is defined by a SAML service with
logoutType:FRONT_CHANNELin the second one.A logout is made on the second CAS server which propagates to the first one.
Two problems happen here:
in case of an IFRAME SLO support (
cas.slo.logout-propagation-type: IFRAME), the logout URL built is:http://localhost:8080/cas/login?client_name=Client1?logoutRequest=%3C%3Fxml+versi...There are two question marks. It is fixed in this PR by changing theCasThymeleafTemplatesDirectorand thecasPropagateLogoutView.html.The logout call is made using
GETwhile currently, onlyPOSTis supported. It is fixed in this PR by changing theDelegatedSaml2ClientLogoutAction.java.I have added unit tests, but no Puppeteer test as it would require to start two CAS servers.