From bd4582159b496264d521944199486d5925b9d153 Mon Sep 17 00:00:00 2001 From: Mark Patton Date: Tue, 23 Apr 2024 10:13:56 -0400 Subject: [PATCH] Make the SAML login processing URL configurable. --- README.md | 4 +++- .../eclipse/pass/main/security/SecurityConfiguration.java | 7 ++++++- pass-core-main/src/main/resources/application.yaml | 1 + 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5d1e13b..e96b525 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,7 @@ Environment variables: * PASS_CORE_LOGOUT_DELETE_COOKIES="JSESSIONID /" * PASS_CORE_SP_ID=https://sp.pass/shibboleth * PASS_CORE_SP_ACS=http://localhost:8080/login/saml2/sso/pass +* PASS_CORE_LOGIN_PROCESSING_PATH=/login/saml2/sso/pass * PASS_CORE_SP_KEY=classpath:saml2/sp-key.pem * PASS_CORE_SP_CERT=classpath:saml2/sp-cert.pem * PASS_CORE_SUBMISSION_EVENT_QUEUE=pass-submission-event @@ -98,7 +99,8 @@ The `SUBMITTER` has full access to all other services. The `PASS_CORE_SP_KEY` and `PASS_CORE_SP_CERT` environment variables set the location of the keys used by pass-core to encrypt SAML communication. Use `PASS_CORE_SP_ID` to set the identifier of the pass-core SP, `PASS_CORE_IDP_METADATA` to set the location where IDP metadata can be retrieved, -and `PASS_CORE_SP_ACS` for the Assertion Consumer Service of the SP. +`PASS_CORE_SP_ACS` for the Assertion Consumer Service of the SP and `PASS_CORE_LOGIN_PROCESSING_PATH` to set the path for handling login from the IDP. +Note that `PASS_CORE_SP_ACS` is a URL which must match the path specified in `PASS_CORE_LOGIN_PROCESSING_PATH`. The defaults are set such that the integration tests can run against a [SimpleSAMLphp based IDP](https://github.com/kenchan0130/docker-simplesamlphp/) using resources included in `saml2/`. These defaults should not be used in production. diff --git a/pass-core-main/src/main/java/org/eclipse/pass/main/security/SecurityConfiguration.java b/pass-core-main/src/main/java/org/eclipse/pass/main/security/SecurityConfiguration.java index 358fc3b..6c83237 100644 --- a/pass-core-main/src/main/java/org/eclipse/pass/main/security/SecurityConfiguration.java +++ b/pass-core-main/src/main/java/org/eclipse/pass/main/security/SecurityConfiguration.java @@ -53,6 +53,9 @@ public class SecurityConfiguration { @Value("${pass.default-login-success-url}") private String defaultLoginSuccessUrl; + @Value("${pass.login-processing-path}") + private String loginProcessingPath; + @Value("${pass.csp}") private String contentSecurityPolicy; @@ -99,7 +102,9 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { (request, response, authException) -> response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase())))); - http.saml2Login(s -> s.defaultSuccessUrl(defaultLoginSuccessUrl)); + http.saml2Login(s -> s.defaultSuccessUrl(defaultLoginSuccessUrl). + loginProcessingUrl(loginProcessingPath)); + http.saml2Metadata(Customizer.withDefaults()); http.saml2Logout(Customizer.withDefaults()); diff --git a/pass-core-main/src/main/resources/application.yaml b/pass-core-main/src/main/resources/application.yaml index a492e60..d14973a 100644 --- a/pass-core-main/src/main/resources/application.yaml +++ b/pass-core-main/src/main/resources/application.yaml @@ -112,6 +112,7 @@ pass: sqs: ${PASS_CORE_USE_SQS:false} embed: ${PASS_CORE_EMBED_JMS_BROKER:true} default-login-success-url: ${PASS_CORE_DEFAULT_LOGIN_SUCCESS:/app/} + login-processing-path: ${PASS_CORE_LOGIN_PROCESSING_PATH:/login/saml2/sso/{registrationId}} logout-delete-cookies: ${PASS_CORE_LOGOUT_DELETE_COOKIES:JSESSIONID /} logout-success-url: ${PASS_CORE_LOGOUT_SUCCESS:/login} policy: