From ba5982e1eb11e804a6b7d5892d7610c610e3ebe7 Mon Sep 17 00:00:00 2001
From: Matt Drees <matt.drees@cru.org>
Date: Mon, 23 Jul 2018 17:12:37 -0600
Subject: [PATCH] Add option to prevent entity stream consumption

If someone's app cannot handle the SingleSignOutFilter's consumption of entity streams
(via a `request.getParameter()` call) on all requests,
they can use this option in conjunction with setting up a service logout URL at the CAS server.
The filter will now only consume the stream on requests to this path.

Fixes https://github.com/apereo/java-cas-client/issues/210.
---
 README.md                                     |  1 +
 .../configuration/ConfigurationKeys.java      |  1 +
 .../client/session/SingleSignOutFilter.java   |  5 ++++
 .../client/session/SingleSignOutHandler.java  | 27 +++++++++++++++++--
 .../session/SingleSignOutHandlerTests.java    | 27 +++++++++++++++++--
 .../client/tomcat/v6/SingleSignOutValve.java  |  4 +++
 .../client/tomcat/v7/SingleSignOutValve.java  |  4 +++
 .../client/tomcat/v8/SingleSignOutValve.java  |  4 +++
 .../client/tomcat/v85/SingleSignOutValve.java |  4 +++
 9 files changed, 73 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 399e268..e00dd48 100644
--- a/README.md
+++ b/README.md
@@ -663,6 +663,7 @@ The `SingleSignOutFilter` can affect character encoding. This becomes most obvio
 | `relayStateParameterName` | Defaults to `RelayState` | No
 | `eagerlyCreateSessions` | Defaults to `true` | No
 | `artifactParameterOverPost` | Defaults to  `false` | No
+| `logoutPath` | The path which will receive logout callback requests from the CAS server. This is necessary if your app needs access to the raw input stream when handling form posts. If not configured, the default behavior will check every request for a logout parameter. | No
 | `casServerUrlPrefix` | URL to root of CAS Web application context. | Yes
 
 <a name="cas-protocol"></a>
diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKeys.java b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKeys.java
index 109aadd..682dffb 100644
--- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKeys.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKeys.java
@@ -78,4 +78,5 @@ public interface ConfigurationKeys {
     ConfigurationKey<Class<? extends Cas20ServiceTicketValidator>> TICKET_VALIDATOR_CLASS = new ConfigurationKey<Class<? extends Cas20ServiceTicketValidator>>("ticketValidatorClass", null);
     ConfigurationKey<String> PROXY_CALLBACK_URL = new ConfigurationKey<String>("proxyCallbackUrl", null);
     ConfigurationKey<String> RELAY_STATE_PARAMETER_NAME = new ConfigurationKey<String>("relayStateParameterName", "RelayState");
+    ConfigurationKey<String> LOGOUT_PATH = new ConfigurationKey<String>("logoutPath", null);
 }
diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java
index 25d645c..87f2895 100644
--- a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java
@@ -48,6 +48,7 @@ public final class SingleSignOutFilter extends AbstractConfigurationFilter {
             setLogoutParameterName(getString(ConfigurationKeys.LOGOUT_PARAMETER_NAME));
             setRelayStateParameterName(getString(ConfigurationKeys.RELAY_STATE_PARAMETER_NAME));
             setCasServerUrlPrefix(getString(ConfigurationKeys.CAS_SERVER_URL_PREFIX));
+            setLogoutPath(getString(ConfigurationKeys.LOGOUT_PATH));
             HANDLER.setArtifactParameterOverPost(getBoolean(ConfigurationKeys.ARTIFACT_PARAMETER_OVER_POST));
             HANDLER.setEagerlyCreateSessions(getBoolean(ConfigurationKeys.EAGERLY_CREATE_SESSIONS));
         }
@@ -71,6 +72,10 @@ public final class SingleSignOutFilter extends AbstractConfigurationFilter {
         HANDLER.setCasServerUrlPrefix(casServerUrlPrefix);
     }
 
+    public void setLogoutPath(String logoutPath) {
+        HANDLER.setLogoutPath(logoutPath);
+    }
+
     public void setSessionMappingStorage(final SessionMappingStorage storage) {
         HANDLER.setSessionMappingStorage(storage);
     }
diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java
index 26932db..ace2745 100644
--- a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java
@@ -66,6 +66,9 @@ public final class SingleSignOutHandler {
     /** The prefix url of the CAS server */
     private String casServerUrlPrefix = "";
 
+    /** The logout path configured at the CAS server, if there is one */
+    private String logoutPath;
+
     private boolean artifactParameterOverPost = false;
 
     private boolean eagerlyCreateSessions = true;
@@ -106,7 +109,14 @@ public final class SingleSignOutHandler {
     public void setCasServerUrlPrefix(final String casServerUrlPrefix) {
         this.casServerUrlPrefix = casServerUrlPrefix;
     }
-    
+
+    /**
+     * @param logoutPath The logout path configured at the CAS server.
+     */
+    public void setLogoutPath(String logoutPath) {
+        this.logoutPath = logoutPath;
+    }
+
     /**
      * @param name Name of parameter containing the state of the CAS server webflow.
      */
@@ -163,6 +173,7 @@ public final class SingleSignOutHandler {
     private boolean isLogoutRequest(final HttpServletRequest request) {
         if ("POST".equalsIgnoreCase(request.getMethod())) {
             return !isMultipartRequest(request)
+                    && pathMatches(request)
                     && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName,
                     this.safeParameters));
         }
@@ -172,7 +183,19 @@ public final class SingleSignOutHandler {
         }
         return false;
     }
-    
+
+    private boolean pathMatches(HttpServletRequest request) {
+        return logoutPath == null || logoutPath.equals(getPath(request));
+    }
+
+    private String getPath(HttpServletRequest request) {
+        return request.getServletPath() + nullToEmpty(request.getPathInfo());
+    }
+
+    private String nullToEmpty(String string) {
+        return string == null ? "" : string;
+    }
+
     /**
      * Process a request regarding the SLO process: record the session or destroy it.
      *
diff --git a/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutHandlerTests.java b/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutHandlerTests.java
index 164a362..64d837f 100644
--- a/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutHandlerTests.java
+++ b/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutHandlerTests.java
@@ -116,13 +116,36 @@ public final class SingleSignOutHandlerTests {
 
     @Test
     public void backChannelLogoutOK() {
+        final MockHttpSession session = doBackChannelLogout();
+        assertFalse(handler.process(request, response));
+        assertTrue(session.isInvalid());
+    }
+
+    @Test
+    public void backChannelLogoutDoesDoesNotRunIfLogoutPathDoesNotMatch() {
+        handler.setLogoutPath("/logout");
+        request.setServletPath("/not-a-logout");
+        final MockHttpSession session = doBackChannelLogout();
+        assertTrue(handler.process(request, response));
+        assertFalse(session.isInvalid());
+    }
+
+    @Test
+    public void backChannelLogoutRunsWhenLogoutPathDoesMatch() {
+        handler.setLogoutPath("/logout");
+        request.setServletPath("/logout");
+        final MockHttpSession session = doBackChannelLogout();
+        assertFalse(handler.process(request, response));
+        assertTrue(session.isInvalid());
+    }
+
+    private MockHttpSession doBackChannelLogout() {
         final String logoutMessage = LogoutMessageGenerator.generateBackChannelLogoutMessage(TICKET);
         request.setParameter(LOGOUT_PARAMETER_NAME, logoutMessage);
         request.setMethod("POST");
         final MockHttpSession session = new MockHttpSession();
         handler.getSessionMappingStorage().addSessionById(TICKET, session);
-        assertFalse(handler.process(request, response));
-        assertTrue(session.isInvalid());
+        return session;
     }
 
     @Test
diff --git a/cas-client-integration-tomcat-v6/src/main/java/org/jasig/cas/client/tomcat/v6/SingleSignOutValve.java b/cas-client-integration-tomcat-v6/src/main/java/org/jasig/cas/client/tomcat/v6/SingleSignOutValve.java
index 00c63dc..c752052 100644
--- a/cas-client-integration-tomcat-v6/src/main/java/org/jasig/cas/client/tomcat/v6/SingleSignOutValve.java
+++ b/cas-client-integration-tomcat-v6/src/main/java/org/jasig/cas/client/tomcat/v6/SingleSignOutValve.java
@@ -60,6 +60,10 @@ public class SingleSignOutValve extends AbstractLifecycleValve implements Sessio
         this.handler.setCasServerUrlPrefix(casServerUrlPrefix);
     }
 
+    public void setLogoutPath(String logoutPath) {
+        this.handler.setLogoutPath(logoutPath);
+    }
+
     public void setSessionMappingStorage(final SessionMappingStorage storage) {
         this.handler.setSessionMappingStorage(storage);
     }
diff --git a/cas-client-integration-tomcat-v7/src/main/java/org/jasig/cas/client/tomcat/v7/SingleSignOutValve.java b/cas-client-integration-tomcat-v7/src/main/java/org/jasig/cas/client/tomcat/v7/SingleSignOutValve.java
index e7cd85d..364db7b 100644
--- a/cas-client-integration-tomcat-v7/src/main/java/org/jasig/cas/client/tomcat/v7/SingleSignOutValve.java
+++ b/cas-client-integration-tomcat-v7/src/main/java/org/jasig/cas/client/tomcat/v7/SingleSignOutValve.java
@@ -64,6 +64,10 @@ public class SingleSignOutValve extends ValveBase implements SessionListener {
         this.handler.setCasServerUrlPrefix(casServerUrlPrefix);
     }
 
+    public void setLogoutPath(String logoutPath) {
+        this.handler.setLogoutPath(logoutPath);
+    }
+
     public void setSessionMappingStorage(final SessionMappingStorage storage) {
         this.handler.setSessionMappingStorage(storage);
     }
diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/SingleSignOutValve.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/SingleSignOutValve.java
index de77527..e4dcee4 100644
--- a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/SingleSignOutValve.java
+++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/SingleSignOutValve.java
@@ -64,6 +64,10 @@ public class SingleSignOutValve extends ValveBase implements SessionListener {
         this.handler.setCasServerUrlPrefix(casServerUrlPrefix);
     }
 
+    public void setLogoutPath(String logoutPath) {
+        this.handler.setLogoutPath(logoutPath);
+    }
+
     public void setSessionMappingStorage(final SessionMappingStorage storage) {
         this.handler.setSessionMappingStorage(storage);
     }
diff --git a/cas-client-integration-tomcat-v85/src/main/java/org/jasig/cas/client/tomcat/v85/SingleSignOutValve.java b/cas-client-integration-tomcat-v85/src/main/java/org/jasig/cas/client/tomcat/v85/SingleSignOutValve.java
index 18aca7a..1dd127d 100644
--- a/cas-client-integration-tomcat-v85/src/main/java/org/jasig/cas/client/tomcat/v85/SingleSignOutValve.java
+++ b/cas-client-integration-tomcat-v85/src/main/java/org/jasig/cas/client/tomcat/v85/SingleSignOutValve.java
@@ -64,6 +64,10 @@ public class SingleSignOutValve extends ValveBase implements SessionListener {
         this.handler.setCasServerUrlPrefix(casServerUrlPrefix);
     }
 
+    public void setLogoutPath(String logoutPath) {
+        this.handler.setLogoutPath(logoutPath);
+    }
+
     public void setSessionMappingStorage(final SessionMappingStorage storage) {
         this.handler.setSessionMappingStorage(storage);
     }