Merge pull request #1172 from stormpath/1158_handlers_fix_using_spring_security_in_front_stormpath

Fix for SS Login and Logout handlers not being invoked

Author: dogeared

examples/spring-security-spring-boot-webmvc-bare-bones/src/main/resources/static/index.html

@@ -1,3 +1,18 @@
+<!--/*
+~ Copyright 2016 Stormpath, Inc.
+~
+~ Licensed under the Apache License, Version 2.0 (the "License");
+~ you may not use this file except in compliance with the License.
+~ You may obtain a copy of the License at
+~
+~     http://www.apache.org/licenses/LICENSE-2.0
+~
+~ Unless required by applicable law or agreed to in writing, software
+~ distributed under the License is distributed on an "AS IS" BASIS,
+~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+~ See the License for the specific language governing permissions and
+~ limitations under the License.
+*/-->
 <!DOCTYPE html>
 <html>
     <head>

examples/spring-security-webmvc/src/main/java/com/stormpath/spring/examples/WebAppInitializer.java

@@ -15,6 +15,7 @@
  */
 package com.stormpath.spring.examples;
 
+import com.stormpath.sdk.servlet.filter.StormpathFilter;
 import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
 import org.springframework.web.WebApplicationInitializer;
 import org.springframework.web.context.ContextLoaderListener;
@@ -46,14 +47,15 @@ public void onStartup(ServletContext sc) throws ServletException {
         dispatcher.setLoadOnStartup(1);
         dispatcher.addMapping("/");
 
-        //Stormpath Filter
-        FilterRegistration.Dynamic filter = sc.addFilter("stormpathFilter", new DelegatingFilterProxy());
+        //Spring Security Filter: in front of Stormpath
+        FilterRegistration.Dynamic securityFilter = sc.addFilter(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME, DelegatingFilterProxy.class);
+        securityFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");
+
+        //Stormpath Filter (after Spring Security)
+        FilterRegistration.Dynamic stormpathFilter = sc.addFilter(StormpathFilter.DEFAULT_FILTER_NAME, DelegatingFilterProxy.class);
         EnumSet<DispatcherType> types =
                 EnumSet.of(DispatcherType.ERROR, DispatcherType.FORWARD, DispatcherType.INCLUDE, DispatcherType.REQUEST);
-        filter.addMappingForUrlPatterns(types, false, "/*");
+        stormpathFilter.addMappingForUrlPatterns(types, false, "/*");
 
-        //Spring Security Filter
-        FilterRegistration.Dynamic securityFilter = sc.addFilter(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME, DelegatingFilterProxy.class);
-        securityFilter.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), false, "/*");
     }
 }

extensions/httpclient/src/test/groovy/com/stormpath/sdk/impl/saml/SamlIdentityProviderIT.groovy

@@ -630,7 +630,7 @@ yl85oFHAdkguTA==
 
         CreateSamlResponseRequest createSamlResponseRequest = client.instantiate(CreateSamlResponseRequest.class)
         createSamlResponseRequest.setAccount(account)
-                createSamlResponseRequest.setAuthnIssueInstant(new Date())
+        createSamlResponseRequest.setAuthnIssueInstant(new Date())
         createSamlResponseRequest.setRequestId(requestId)
                 .setServiceProvider(registeredSamlServiceProvider)
 

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/filter/StormpathFilter.java

@@ -37,6 +37,8 @@
  */
 public class StormpathFilter extends HttpFilter {
 
+    public final static String DEFAULT_FILTER_NAME = "stormpathFilter";
+
     private FilterChainResolver filterChainResolver;
     private Set<String> clientRequestAttributeNames;
     private Set<String> applicationRequestAttributeNames;

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/mvc/AbstractSocialCallbackController.java

@@ -55,7 +55,7 @@ public boolean isNotAllowedIfAuthenticated() {
         return true;
     }
 
-    protected abstract ProviderAccountRequest getAccountProviderRequest(HttpServletRequest request);
+    public abstract ProviderAccountRequest getAccountProviderRequest(HttpServletRequest request);
 
     @Override
     protected ViewModel doGet(HttpServletRequest request, HttpServletResponse response) throws Exception {

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/mvc/DefaultProviderAccountRequestFactory.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright 2017 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.stormpath.sdk.servlet.mvc;
+
+import com.stormpath.sdk.lang.Strings;
+import com.stormpath.sdk.provider.ProviderAccountRequest;
+import com.stormpath.sdk.provider.Providers;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Map;
+
+import static com.stormpath.sdk.servlet.mvc.JacksonFieldValueResolver.MARSHALLED_OBJECT;
+
+// Refactor of Provider requests for
+// https://github.com/stormpath/stormpath-sdk-java/issues/915
+// and to provide uniform responses across all integrations for
+// conformance to stormpath-framework-spec as enforced by
+// stormpath-framework-tck
+/**
+ * @since 1.3.0
+ */
+public class DefaultProviderAccountRequestFactory implements ProviderAccountRequestFactory {
+
+    private static final Logger log = LoggerFactory.getLogger(DefaultProviderAccountRequestFactory.class);
+
+    private final GithubAccessTokenResolver githubAccessTokenResolver = new GithubAccessTokenResolver();
+
+    @Override
+    @SuppressWarnings("unchecked")
+    public ProviderAccountRequest getProviderAccountRequest(HttpServletRequest request) {
+        Map<String, Object> map = (Map<String, Object>) request.getAttribute(MARSHALLED_OBJECT);
+
+        if (map != null && map.get("providerData") != null) {
+            Map<String, String> providerData = (Map<String, String>) map.get("providerData");
+
+            String providerId = providerData.get("providerId");
+            if (Strings.hasText(providerId)) {
+                switch (providerId) {
+                    case "facebook": {
+                        String accessToken = providerData.get("accessToken");
+                        return Providers.FACEBOOK
+                                .account().setAccessToken(accessToken).build();
+                    }
+                    case "github": {
+                        String accessToken = githubAccessTokenResolver.get(request, null);
+                        return Providers.GITHUB
+                                .account().setAccessToken(accessToken).build();
+                    }
+                    case "google": {
+                        String code = providerData.get("code");
+                        return Providers.GOOGLE
+                                .account().setCode(code).build();
+                    }
+                    case "linkedin": {
+                        String code = providerData.get("code");
+                        return Providers.LINKEDIN
+                                .account().setCode(code).build();
+                    }
+                    case "twitter": {
+                        String code = providerData.get("accessToken");
+                        return Providers.TWITTER
+                                .account().setAccessToken(code).build();
+                    }
+                    default: {
+                        log.error("No provider configured for " + providerId);
+                        return null;
+                    }
+                }
+            }
+        }
+
+        log.debug("Provider data not found in request.");
+        return null;
+    }
+}

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/mvc/FormController.java

@@ -132,7 +132,10 @@ protected ViewModel doGet(HttpServletRequest request, HttpServletResponse respon
     @SuppressWarnings("unchecked")
     protected Map<String,?> createModel(HttpServletRequest request, HttpServletResponse response) {
         List<ErrorModel> errors = null;
-        if (request.getParameter("error") != null) {
+        // We need to look for error in queryString now that we moved SpringSecurity to in in front of us: https://github.com/stormpath/stormpath-sdk-java/issues/915
+        String queryString = request.getQueryString();
+        boolean requestContainsError = request.getParameter("error") != null || (queryString != null && queryString.contains("error"));
+        if (requestContainsError) {
             errors = new ArrayList<>();
             ErrorModel error = null;
             HttpSession session = request.getSession(false);

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/mvc/GithubAccessTokenResolver.java

@@ -0,0 +1,109 @@
+/*
+ * Copyright 2017 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.stormpath.sdk.servlet.mvc;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.stormpath.sdk.application.Application;
+import com.stormpath.sdk.application.ApplicationAccountStoreMapping;
+import com.stormpath.sdk.directory.AccountStore;
+import com.stormpath.sdk.directory.AccountStoreVisitor;
+import com.stormpath.sdk.directory.AccountStoreVisitorAdapter;
+import com.stormpath.sdk.directory.Directory;
+import com.stormpath.sdk.impl.provider.DefaultGithubProvider;
+import com.stormpath.sdk.lang.Assert;
+import com.stormpath.sdk.servlet.application.ApplicationResolver;
+import com.stormpath.sdk.servlet.http.MediaType;
+import com.stormpath.sdk.servlet.http.Resolver;
+import org.apache.http.HttpResponse;
+import org.apache.http.NameValuePair;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.message.BasicNameValuePair;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * @since 1.3.0
+ */
+public class GithubAccessTokenResolver implements Resolver<String> {
+
+    private static final Logger log = LoggerFactory.getLogger(GithubAccessTokenResolver.class);
+    private static final String GITHUB_ACCESS_TOKEN_URL = "https://github.com/login/oauth/access_token";
+    private static final String GITHUB_ACCESS_TOKEN_FIELD = "access_token";
+
+    /**
+     * Obtains an access token from GitHub.
+     * @return a Github access token
+     */
+    @Override
+    public String get(HttpServletRequest request, HttpServletResponse response) {
+        final DefaultGithubProvider[] githubProvider = new DefaultGithubProvider[1];
+
+        Application application = ApplicationResolver.INSTANCE.getApplication(request);
+        for (ApplicationAccountStoreMapping mapping : application.getAccountStoreMappings()) {
+            AccountStore accountStore = mapping.getAccountStore();
+
+            AccountStoreVisitor accountStoreVisitor = new AccountStoreVisitorAdapter() {
+                @Override
+                public void visit(Directory directory) {
+                    if ("github".equals(directory.getProvider().getProviderId())) {
+                        githubProvider[0] = (DefaultGithubProvider) directory.getProvider();
+                    }
+                }
+            };
+            accountStore.accept(accountStoreVisitor);
+        }
+
+        Assert.notNull(githubProvider[0], "githubProvider cannot be null.");
+
+        HttpClient client = HttpClientBuilder.create().build();
+
+        try {
+            HttpPost httpPost = new HttpPost(GITHUB_ACCESS_TOKEN_URL);
+            List<NameValuePair> nvps = new ArrayList<>();
+            nvps.add(new BasicNameValuePair("code", getCode(request)));
+            nvps.add(new BasicNameValuePair("client_id", githubProvider[0].getClientId()));
+            nvps.add(new BasicNameValuePair("client_secret", githubProvider[0].getClientSecret()));
+
+            httpPost.setEntity(new UrlEncodedFormEntity(nvps, StandardCharsets.UTF_8.displayName()));
+            httpPost.addHeader("Accept", MediaType.APPLICATION_JSON_VALUE);
+
+            HttpResponse gitHubResponse = client.execute(httpPost);
+            ObjectMapper objectMapper = new ObjectMapper();
+
+            //noinspection unchecked
+            Map<String, String> result = objectMapper.readValue(gitHubResponse.getEntity().getContent(), Map.class);
+            return result.get(GITHUB_ACCESS_TOKEN_FIELD);
+        } catch (Exception e) {
+            log.error("Couldn't exchange GitHub oAuth code for an access token", e);
+            throw new RuntimeException(e);
+        }
+    }
+
+    @SuppressWarnings("unchecked")
+    private String getCode(HttpServletRequest request) throws IllegalArgumentException {
+        return request.getParameter("code");
+    }
+}

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/mvc/IdSiteLogoutController.java

@@ -21,6 +21,7 @@
 import com.stormpath.sdk.servlet.filter.ServerUriResolver;
 import com.stormpath.sdk.servlet.http.Resolver;
 import com.stormpath.sdk.servlet.idsite.IdSiteOrganizationContext;
+import com.stormpath.sdk.servlet.util.ServletUtils;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -73,7 +74,12 @@ public ViewModel handleRequest(HttpServletRequest request, HttpServletResponse r
         }
 
         //redirect to ID Site to perform the SSO logout to effectively log out the user across all applications:
-        return idSiteController.handleRequest(request, response);
+        ViewModel viewModel = idSiteController.handleRequest(request, response);
+        //Let's commit the response right away as sometimes IDSite's logout fails to be invoked on time before the login screen is re-loaded.
+        //When that happens, the logout does not take place either in IDSIte nor in our end since IDSIte will reply to the login request with
+        //an already authenticated response.That causes our integration to create a new cookie.
+        ServletUtils.issueRedirect(request, response, viewModel.getViewName(), null, true, true);
+        return null;
     }
 
     private static class LogoutIdSiteController extends IdSiteController {

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/mvc/JacksonFieldValueResolver.java

@@ -13,7 +13,7 @@
  */
 public class JacksonFieldValueResolver implements RequestFieldValueResolver {
 
-    protected static final String MARSHALLED_OBJECT = JacksonFieldValueResolver.class.getName() + ".MARSHALLED_OBJECT";
+    public static final String MARSHALLED_OBJECT = JacksonFieldValueResolver.class.getName() + ".MARSHALLED_OBJECT";
 
     ObjectMapper objectMapper = new ObjectMapper();