Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removed logout confirmation page #106

Merged
merged 1 commit into from
Mar 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -29,14 +29,14 @@
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity.LogoutSpec;
import org.springframework.security.oauth2.client.oidc.web.server.logout.OidcClientInitiatedServerLogoutSuccessHandler;
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authentication.logout.RedirectServerLogoutSuccessHandler;
import org.springframework.security.web.server.authentication.logout.ServerLogoutSuccessHandler;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;

import lombok.extern.slf4j.Slf4j;

Expand Down Expand Up @@ -85,10 +85,6 @@ SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http,
// by proxified webapps, not the gateway.
http.csrf().disable();

http.formLogin()
.authenticationFailureHandler(new ExtendedRedirectServerAuthenticationFailureHandler("login?error"))
.loginPage("/login");

sortedCustomizers(customizers).forEach(customizer -> {
log.debug("Applying security customizer {}", customizer.getName());
customizer.customize(http);
Expand All @@ -99,7 +95,8 @@ SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http,
RedirectServerLogoutSuccessHandler defaultRedirect = new RedirectServerLogoutSuccessHandler();
defaultRedirect.setLogoutSuccessUrl(URI.create(georchestraLogoutUrl));

LogoutSpec logoutUrl = http.formLogin().loginPage("/login").and().logout().logoutUrl("/logout")
LogoutSpec logoutUrl = http.formLogin().loginPage("/login").and().logout()
.requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be better to have the possibility to choose whether or not we want the confirm page instead of hardcode it.

The confirm page should be the default behavior and direct logout should be a configuration in gateway.yaml. WDYT ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed for a configurable behavior, if it makes sense to you.
Default behavior should be as for the security proxy IMO : immediate logout.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am wondering if the default workflow from spring (GET /logout then POST /logout) is made on purpose e.g. for security's sake. I'm not an expert, what would be the risk / impact to directly logout the user after the GET request ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator

@f-necas f-necas Feb 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed we will keep only one strategy and won't keep logout page at all.

We will stay with a GET first to keep header's compatibility with gateway & security-proxy.

So LGTM then

.logoutSuccessHandler(oidcLogoutSuccessHandler != null ? oidcLogoutSuccessHandler : defaultRedirect);

return logoutUrl.and().build();
Expand Down
25 changes: 0 additions & 25 deletions gateway/src/main/resources/templates/logout.html

This file was deleted.

Loading