Merge pull request #60 from xdev-software/develop

Release

Author: AB-xdev

CHANGELOG.md

@@ -1,16 +1,20 @@
+# 1.0.4
+* OAuth2-OIDC
+    * ``DefaultDeAuthApplier``: Use already present request/response if possible
+
 # 1.0.3
 * Vaadin
     * Fix ``VaadinOAuth2RefreshReloadCommunicator`` not always setting status code ``401`` (which causes ``xhrAdapter.js`` to ignore the response)
         * This should only affect applications with anonymous auth enabled
 * OAuth2-OIDC
     * Do not register ``OAuth2RefreshFilter`` twice
-    * DeAuth
+    * DeAuth JS-556
         * Apply correctly
         * Make it possible to customize application
 
 # 1.0.2
 * Vaadin
-    * ``XHRReloadVaadinServiceInitListener``
+    * ``XHRReloadVaadinServiceInitListener`` #45
         * Improved performance by not building element every request and cloning it instead
         * If an error occurs while the script is added to the document the error is now logged (once at WARN; all subsequent ones at DEBUG)
 

oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/deauth/DefaultDeAuthApplier.java

@@ -19,9 +19,12 @@
 
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
@@ -32,14 +35,46 @@ public class DefaultDeAuthApplier implements DeAuthApplier
 	@Override
 	public void deAuth(final ServletRequest request, final ServletResponse response, final Authentication auth)
 	{
+		// Ensure that current authentification is no longer usable
+		// Better crash the application than allow unauthorized access
 		SecurityContextHolder.getContext().setAuthentication(null);
 
-		Optional.ofNullable(RequestContextHolder.getRequestAttributes())
-			.filter(ServletRequestAttributes.class::isInstance)
-			.map(ServletRequestAttributes.class::cast)
-			.ifPresent(a -> new SecurityContextLogoutHandler().logout(
-				a.getRequest(),
-				a.getResponse(),
-				auth));
+		// Find corresponding request and response
+		HttpServletRequest httpServletRequest = request instanceof final HttpServletRequest r ? r : null;
+		HttpServletResponse httpServletResponse = response instanceof final HttpServletResponse r ? r : null;
+		
+		if(httpServletRequest == null || httpServletResponse == null)
+		{
+			// Fallback: Use RequestContextHolder
+			final Optional<ServletRequestAttributes> optServletRequestAttributes =
+				Optional.ofNullable(RequestContextHolder.getRequestAttributes())
+					.filter(ServletRequestAttributes.class::isInstance)
+					.map(ServletRequestAttributes.class::cast);
+			if(optServletRequestAttributes.isPresent())
+			{
+				final ServletRequestAttributes servletRequestAttributes = optServletRequestAttributes.get();
+				if(httpServletRequest == null)
+				{
+					httpServletRequest = servletRequestAttributes.getRequest();
+				}
+				if(httpServletResponse == null)
+				{
+					httpServletResponse = servletRequestAttributes.getResponse();
+				}
+			}
+		}
+		
+		// Execute logout
+		// https://docs.spring.io/spring-security/reference/servlet/authentication/logout.html#creating-custom-logout-endpoint
+		// This will invalidate the session and definitely kill the authentication
+		if(httpServletRequest != null)
+		{
+			this.getLogoutHandler().logout(httpServletRequest, httpServletResponse, auth);
+		}
+	}
+	
+	protected LogoutHandler getLogoutHandler()
+	{
+		return new SecurityContextLogoutHandler();
 	}
 }