Scott Battaglia
parent
84aa06629f
commit
477fc582f0
|
|
@ -44,6 +44,7 @@ public final class SingleSignOutFilter extends AbstractConfigurationFilter {
|
|||
if (!isIgnoreInitConfiguration()) {
|
||||
handler.setArtifactParameterName(getPropertyFromInitParams(filterConfig, "artifactParameterName", "ticket"));
|
||||
handler.setLogoutParameterName(getPropertyFromInitParams(filterConfig, "logoutParameterName", "logoutRequest"));
|
||||
handler.setArtifactParameterOverPost(parseBoolean(getPropertyFromInitParams(filterConfig, "artifactParameterOverPost", "false")));
|
||||
}
|
||||
handler.init();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,6 +27,9 @@ import org.apache.commons.logging.LogFactory;
|
|||
import org.jasig.cas.client.util.CommonUtils;
|
||||
import org.jasig.cas.client.util.XmlUtils;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* Performs CAS single sign-out operations in an API-agnostic fashion.
|
||||
*
|
||||
|
|
@ -49,11 +52,19 @@ public final class SingleSignOutHandler {
|
|||
/** Parameter name that stores logout request */
|
||||
private String logoutParameterName = "logoutRequest";
|
||||
|
||||
private boolean artifactParameterOverPost = false;
|
||||
|
||||
private List<String> safeParameters;
|
||||
|
||||
|
||||
public void setSessionMappingStorage(final SessionMappingStorage storage) {
|
||||
this.sessionMappingStorage = storage;
|
||||
}
|
||||
|
||||
public void setArtifactParameterOverPost(final boolean artifactParameterOverPost) {
|
||||
this.artifactParameterOverPost = artifactParameterOverPost;
|
||||
}
|
||||
|
||||
public SessionMappingStorage getSessionMappingStorage() {
|
||||
return this.sessionMappingStorage;
|
||||
}
|
||||
|
|
@ -78,7 +89,13 @@ public final class SingleSignOutHandler {
|
|||
public void init() {
|
||||
CommonUtils.assertNotNull(this.artifactParameterName, "artifactParameterName cannot be null.");
|
||||
CommonUtils.assertNotNull(this.logoutParameterName, "logoutParameterName cannot be null.");
|
||||
CommonUtils.assertNotNull(this.sessionMappingStorage, "sessionMappingStorage cannote be null.");
|
||||
CommonUtils.assertNotNull(this.sessionMappingStorage, "sessionMappingStorage cannot be null.");
|
||||
|
||||
if (this.artifactParameterOverPost) {
|
||||
this.safeParameters = Arrays.asList(this.logoutParameterName, this.artifactParameterName);
|
||||
} else {
|
||||
this.safeParameters = Arrays.asList(this.logoutParameterName);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -89,7 +106,7 @@ public final class SingleSignOutHandler {
|
|||
* @return True if request contains authentication token, false otherwise.
|
||||
*/
|
||||
public boolean isTokenRequest(final HttpServletRequest request) {
|
||||
return CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.artifactParameterName));
|
||||
return CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.artifactParameterName, this.safeParameters));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -101,7 +118,7 @@ public final class SingleSignOutHandler {
|
|||
*/
|
||||
public boolean isLogoutRequest(final HttpServletRequest request) {
|
||||
return "POST".equals(request.getMethod()) && !isMultipartRequest(request) &&
|
||||
CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName));
|
||||
CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName, this.safeParameters));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -113,7 +130,7 @@ public final class SingleSignOutHandler {
|
|||
public void recordSession(final HttpServletRequest request) {
|
||||
final HttpSession session = request.getSession(true);
|
||||
|
||||
final String token = CommonUtils.safeGetParameter(request, this.artifactParameterName);
|
||||
final String token = CommonUtils.safeGetParameter(request, this.artifactParameterName, this.safeParameters);
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("Recording session for token " + token);
|
||||
}
|
||||
|
|
@ -132,7 +149,7 @@ public final class SingleSignOutHandler {
|
|||
* @param request HTTP request containing a CAS logout message.
|
||||
*/
|
||||
public void destroySession(final HttpServletRequest request) {
|
||||
final String logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName);
|
||||
final String logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName, this.safeParameters);
|
||||
if (log.isTraceEnabled()) {
|
||||
log.trace ("Logout request:\n" + logoutMessage);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ import javax.servlet.FilterConfig;
|
|||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.util.Arrays;
|
||||
|
||||
/**
|
||||
* Abstract filter that contains code that is common to all CAS filters.
|
||||
|
|
|
|||
|
|
@ -41,9 +41,7 @@ import java.net.HttpURLConnection;
|
|||
import java.net.MalformedURLException;
|
||||
import java.text.DateFormat;
|
||||
import java.text.SimpleDateFormat;
|
||||
import java.util.Collection;
|
||||
import java.util.Date;
|
||||
import java.util.TimeZone;
|
||||
import java.util.*;
|
||||
|
||||
/**
|
||||
* Common utilities so that we don't need to include Commons Lang.
|
||||
|
|
@ -307,19 +305,26 @@ public final class CommonUtils {
|
|||
* parameter is ALWAYS in the GET request.
|
||||
* <p>
|
||||
* If we see the "logoutRequest" parameter we MUST treat it as if calling the standard request.getParameter.
|
||||
* <p>
|
||||
* Note, that as of 3.3.0, we've made it more generic.
|
||||
* </p>
|
||||
*
|
||||
* @param request the request to check.
|
||||
* @param parameter the parameter to look for.
|
||||
* @return the value of the parameter.
|
||||
*/
|
||||
public static String safeGetParameter(final HttpServletRequest request, final String parameter) {
|
||||
if ("POST".equals(request.getMethod()) && "logoutRequest".equals(parameter)) {
|
||||
LOG.debug("safeGetParameter called on a POST HttpServletRequest for LogoutRequest. Cannot complete check safely. Reverting to standard behavior for this Parameter");
|
||||
public static String safeGetParameter(final HttpServletRequest request, final String parameter, final List<String> parameters) {
|
||||
if ("POST".equals(request.getMethod()) && parameters.contains(parameter)) {
|
||||
LOG.debug("safeGetParameter called on a POST HttpServletRequest for Restricted Parameters. Cannot complete check safely. Reverting to standard behavior for this Parameter");
|
||||
return request.getParameter(parameter);
|
||||
}
|
||||
return request.getQueryString() == null || !request.getQueryString().contains(parameter) ? null : request.getParameter(parameter);
|
||||
}
|
||||
|
||||
public static String safeGetParameter(final HttpServletRequest request, final String parameter) {
|
||||
return safeGetParameter(request, parameter, Arrays.asList("logoutRequest"));
|
||||
}
|
||||
|
||||
/**
|
||||
* Contacts the remote URL and returns the response.
|
||||
*
|
||||
|
|
|
|||
Loading…
Reference in New Issue