diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java index c69ebac..a9b4390 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java @@ -44,6 +44,7 @@ public final class SingleSignOutFilter extends AbstractConfigurationFilter { if (!isIgnoreInitConfiguration()) { handler.setArtifactParameterName(getPropertyFromInitParams(filterConfig, "artifactParameterName", "ticket")); handler.setLogoutParameterName(getPropertyFromInitParams(filterConfig, "logoutParameterName", "logoutRequest")); + handler.setArtifactParameterOverPost(parseBoolean(getPropertyFromInitParams(filterConfig, "artifactParameterOverPost", "false"))); } handler.init(); } diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java index f03c197..31f3e24 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java @@ -27,6 +27,9 @@ import org.apache.commons.logging.LogFactory; import org.jasig.cas.client.util.CommonUtils; import org.jasig.cas.client.util.XmlUtils; +import java.util.Arrays; +import java.util.List; + /** * Performs CAS single sign-out operations in an API-agnostic fashion. * @@ -49,11 +52,19 @@ public final class SingleSignOutHandler { /** Parameter name that stores logout request */ private String logoutParameterName = "logoutRequest"; + private boolean artifactParameterOverPost = false; + + private List safeParameters; + public void setSessionMappingStorage(final SessionMappingStorage storage) { this.sessionMappingStorage = storage; } + public void setArtifactParameterOverPost(final boolean artifactParameterOverPost) { + this.artifactParameterOverPost = artifactParameterOverPost; + } + public SessionMappingStorage getSessionMappingStorage() { return this.sessionMappingStorage; } @@ -78,7 +89,13 @@ public final class SingleSignOutHandler { public void init() { CommonUtils.assertNotNull(this.artifactParameterName, "artifactParameterName cannot be null."); CommonUtils.assertNotNull(this.logoutParameterName, "logoutParameterName cannot be null."); - CommonUtils.assertNotNull(this.sessionMappingStorage, "sessionMappingStorage cannote be null."); + CommonUtils.assertNotNull(this.sessionMappingStorage, "sessionMappingStorage cannot be null."); + + if (this.artifactParameterOverPost) { + this.safeParameters = Arrays.asList(this.logoutParameterName, this.artifactParameterName); + } else { + this.safeParameters = Arrays.asList(this.logoutParameterName); + } } /** @@ -89,7 +106,7 @@ public final class SingleSignOutHandler { * @return True if request contains authentication token, false otherwise. */ public boolean isTokenRequest(final HttpServletRequest request) { - return CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.artifactParameterName)); + return CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.artifactParameterName, this.safeParameters)); } /** @@ -101,7 +118,7 @@ public final class SingleSignOutHandler { */ public boolean isLogoutRequest(final HttpServletRequest request) { return "POST".equals(request.getMethod()) && !isMultipartRequest(request) && - CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName)); + CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName, this.safeParameters)); } /** @@ -113,7 +130,7 @@ public final class SingleSignOutHandler { public void recordSession(final HttpServletRequest request) { final HttpSession session = request.getSession(true); - final String token = CommonUtils.safeGetParameter(request, this.artifactParameterName); + final String token = CommonUtils.safeGetParameter(request, this.artifactParameterName, this.safeParameters); if (log.isDebugEnabled()) { log.debug("Recording session for token " + token); } @@ -132,7 +149,7 @@ public final class SingleSignOutHandler { * @param request HTTP request containing a CAS logout message. */ public void destroySession(final HttpServletRequest request) { - final String logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName); + final String logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName, this.safeParameters); if (log.isTraceEnabled()) { log.trace ("Logout request:\n" + logoutMessage); } diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/util/AbstractCasFilter.java b/cas-client-core/src/main/java/org/jasig/cas/client/util/AbstractCasFilter.java index 79c94b3..ed479b8 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/util/AbstractCasFilter.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/AbstractCasFilter.java @@ -26,6 +26,7 @@ import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import java.util.Arrays; /** * Abstract filter that contains code that is common to all CAS filters. diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java b/cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java index 2073317..c1fc116 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java @@ -41,9 +41,7 @@ import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.text.DateFormat; import java.text.SimpleDateFormat; -import java.util.Collection; -import java.util.Date; -import java.util.TimeZone; +import java.util.*; /** * Common utilities so that we don't need to include Commons Lang. @@ -307,19 +305,26 @@ public final class CommonUtils { * parameter is ALWAYS in the GET request. *

* If we see the "logoutRequest" parameter we MUST treat it as if calling the standard request.getParameter. + *

+ * Note, that as of 3.3.0, we've made it more generic. + *

* * @param request the request to check. * @param parameter the parameter to look for. * @return the value of the parameter. */ - public static String safeGetParameter(final HttpServletRequest request, final String parameter) { - if ("POST".equals(request.getMethod()) && "logoutRequest".equals(parameter)) { - LOG.debug("safeGetParameter called on a POST HttpServletRequest for LogoutRequest. Cannot complete check safely. Reverting to standard behavior for this Parameter"); + public static String safeGetParameter(final HttpServletRequest request, final String parameter, final List parameters) { + if ("POST".equals(request.getMethod()) && parameters.contains(parameter)) { + LOG.debug("safeGetParameter called on a POST HttpServletRequest for Restricted Parameters. Cannot complete check safely. Reverting to standard behavior for this Parameter"); return request.getParameter(parameter); } return request.getQueryString() == null || !request.getQueryString().contains(parameter) ? null : request.getParameter(parameter); } + public static String safeGetParameter(final HttpServletRequest request, final String parameter) { + return safeGetParameter(request, parameter, Arrays.asList("logoutRequest")); + } + /** * Contacts the remote URL and returns the response. *