Skip to content
This repository was archived by the owner on Feb 27, 2020. It is now read-only.
This repository was archived by the owner on Feb 27, 2020. It is now read-only.

Improvements: Fix several customization Issues #52

Open
#53
Open
Improvements: Fix several customization Issues#52
#53
@pavax

Description

@pavax
pavax
opened on Jul 6, 2018

1. Provide possibility to customize the AuthenticationSuccessHandler
Allow to change the default SavedRequestAwareAuthenticationSuccessHandler (fixes #50)

2. Provide possibility to customize the AuthenticationFailureHandler
Allow to change the default SimpleUrlAuthenticationFailureHandler (fixes #50)

3. Provide possibility to customize the LogoutSuccessHandler
Allow to change the default SimpleUrlLogoutSuccessHandler

4. Provide the ApplicationEventPublisher in order to publish Authenitcation Events

  1. Set a ApplicationEventPublisher in the SAMLProcessingFilter in order to publish an InteractiveAuthenticationSuccessEvent (fixes Not triggering InteractiveAuthenticationSuccessEvent #36)

  2. Set a AuthenticationEventPublisher to the AuthenticationManager (aka the ProviderManager) in order to publish AuthenticationSuccess and AuthenticationFailure events. Usefull if spring-boot-actuator is on the classpath with AuditEvents beeing enabled (see: org.springframework.boot.actuate.security.AuthenticationAuditListener.java) (fixes Customize success and failure login handler #50)

5. Provide a possibility to set a custom EntryPoint for XMLHttpRequest
Nowdays many applications are using Javascript to comunicate with the backend. If the session has expired or hasn't been created yet it doesn't make sense to return them a 302 to the idp-login page since javascript doesn't have a chance to detect that and receives the HTML-login page. Provide a mechanism to return a different result if we detect that it was a javascript triggered HTTP-Request. Most javascript-frameworks send the header flag: X-Requested-With: XMLHttpRequest to detect that. (see: https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). Similar how it is done in org.springframework.security.config.annotation.web.configurers.HttpBasicConfigurer.java

6. Provide a way to customize the RequestedAuthnContexts
We need to be able to customize the WebSSOProfileOptions to set the authnContexts so that the SP can control the authentication mechanism.

7. Provide a way to exclude the credentials from being stored in SAMLAuthenticationProvider
When false (default) the resulting Authentication object will include instance of SAMLCredential as a credential value. Setting this value to true can be very useful if someone serializes the session to redis (using spring-session) since the xml-elements of the assertion can't be serialized. (fixes #42 )

8. SingleLogout and CSRF Problem
Currently the AntPathRequestMatcher only considers the 'SSO' saml assertion consumer but not the 'SingleLogout" endpoint. Thus a HTTP-Post is rejected if CSRF is enabled

I'll be working on a PR that fixes the mentioned issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions