Refactored out Servlet dependencies from core and toolkit #395
Conversation
| delegate.getSession().invalidate(); | ||
| } | ||
|
|
||
| public static HttpRequest makeHttpRequest(HttpServletRequest delegate) { |
There was a problem hiding this comment.
I'm not even sure this static method is really needed, I mean is this really any better than new JakartaSamlHttpRequest(delegate)?
| delegate.sendRedirect(location); | ||
| } | ||
|
|
||
| public static HttpResponse makeHttpResponse(HttpServletResponse delegate) { |
There was a problem hiding this comment.
I'm not even sure this static method is really needed, I mean is this really any better than new JakartaSamlHttpResponse(delegate)?
| public final class HttpRequest { | ||
|
|
||
| public static final Map<String, List<String>> EMPTY_PARAMETERS = Collections.<String, List<String>>emptyMap(); | ||
| public interface HttpRequest { |
There was a problem hiding this comment.
I'm OK calling this interface SamlHttpRequest or OneLoginSamlHttpRequest if the existing name is too generic.
Three implementors in this PR:
| * | ||
| * @since 3.0.0 | ||
| */ | ||
| public interface HttpResponse { |
There was a problem hiding this comment.
I'm OK calling this interface SamlHttpResponse or OneLoginSamlHttpResponse if the existing name is too generic.
Two implementors in this PR:
markkolich
force-pushed
the
master
branch
8 times, most recently
from
22c228f
to
fbfe69b
Compare
|
Thanks @markkolich for this PR. Let's see what rest of the people think about it. @veselov, @mauromol, @jeroenvs, @lounagen, @krzysztof-osiecki , @dsvensson, @josemgut, @bramhaag, @fanste |
|
This works for me. Thank you @markkolich! |
|
This would also work for me. Thank you! |
|
Thats seems to be the best solution instead of using the "transformer hack". Thanks for your work, @markkolich. |
|
This is also good for me. I'm not able to test it inmediatelly, but in two weeks we will apply it and it will work for sure. Thanks a lot. |
|
I had a quick look at the commit and I would say this is exactly what I had in mind in #349 (comment). So, good job @markkolich Just my 2 cents: maybe the |
|
@mauromol fair point on request.getSession().invalidate();Happy to change that to: HttpSession session = delegate.getSession(false);
if (session != null) {
session.invalidate();
} |
markkolich
force-pushed
the
master
branch
2 times, most recently
from
d5dbbde
to
0c8040f
Compare
|
will this be merged anytime soon ? |
|
@markkolich |
|
Nice find @ardeleana - I have fixed the bug in this PR and have updated the unit tests accordingly. Thank you! @pitbulk there were also a bunch of |
|
@pitbulk I welcome the thoughts of others from the community on this, but my 2-cents ... This PR is very intentionally not backwards compatible with the previous versions of I don't think changing the signature of the That said though, perhaps what's missing in this PR is some documentation changes and example code to explain or clarify the upgrade path? For instance, in your JSP example, this: <%@page import="com.onelogin.saml2.Auth"%>
<?
Auth auth = new Auth(request, response);
?>Would become this (please excuse the wildcard imports): <%@page import="com.onelogin.saml2.Auth"%>
<%@page import="com.onelogin.saml2.http.*"%>
<%@page import="com.onelogin.saml2.servlet.javax.*"%>
<?
HttpRequest samlRequest = JavaxSamlHttpRequest.makeHttpRequest(request);
HttpResponse samlResponse = JavaxSamlHttpResponse.makeHttpResponse(response);
Auth auth = new Auth(samlRequest, samlResponse);
?>Everything else remains the same. I'm happy to help out with correcting or beefing up the documentation, either as a commit in this PR or as a separate fast-follow PR. Let me know what you all think! |
|
Alternative idea: what about keeping existing Auth signature as before, introducing a JakartaAuth that uses the new Jakarta interfaces and then making both delegate to a new AuthImpl class that instead uses HttpRequest and HttpResponse and does the real job? |
|
@markkolich , what do you think about @mauromol's suggestion? |
|
@pitbulk @mauromol I think that's a reasonable suggestion! In the JSP example, you'd still have to change some imports, so the library upgrade wouldn't be a seamless drop in replacement but maybe less invasive of a change? With this proposal, consider <%@page import="com.onelogin.saml2.Auth"%>
<%@page import="com.onelogin.saml2.servlet.jakarka.JakartaSamlAuth"%>
<?
Auth auth = new JakartaSamlAuth(request, response);
?>In other words, the user would still have to make some code or JSP change to support this new version. It wouldn't be completely free. I, for one, don't think we should be optimizing the path forward for antiquated JSP use-cases but I am acutely aware of the general concern around backwards compatibility and want to respectful of that when it's reasonable to do so. If you agree that a |
|
What I had in mind was a bit different and (unless I'm missing something - I didn't investigate further) should be 100% API and binary compatible for legacy consuming applications.
In this way, code that uses the old The only thing that would still need a bit of thought is about Java 9 modules, if the toolkit wants to support them: in fact, in the above scenario the package |
|
Perfect is the enemy of good, how about tolerating the API breakage, and revisiting this in release+1? Just communicate it in the release notes. |
|
If you break the API now you can't recover in release+1... Anyway, mine were just suggestions, I'm not leading this project. |
|
Sure you can. Might be confusing with a one-off, but as long as it's communicated I doubt it would cause any real harm. Can just spam out some major version bumps to signal it clearly - they're just numbers, nothing sacred about them. Sure, a bit ugly, but as is the unreleased situation. |
|
I'll take a look at @mauromol's suggestions and see if it's something I can implement later this week. |
|
@markkolich that's great. Next week I took vacation so I will have time to complete, review and publish. |
- Adding JakartaSamlAuth and JavaxSamlAuth which both extend BaseAuth
|
@mauromol I've been tinkering with the changes you suggested above. I think I understand what you're suggesting, and now that it's implemented the Before: <%@page import="com.onelogin.saml2.Auth"%>
<?
Auth auth = new Auth(request, response);
?>After, with the <%@page import="com.onelogin.saml2.BaseAuth"%>
<%@page import="com.onelogin.saml2.servlet.jakarka.JakartaSamlAuth"%>
<?
BaseAuth auth = new JakartaSamlAuth(request, response);
?>To gently reiterate, this is not a drop-in and make-no-changes to your JSPs backwards compatible change. Users will have to change imports and rename I've pushed the suggested changes to this PR as a separate commit - I can squash if this looks good. |
|
I just would like to specify that I'm not a maintainer of this project and I cannot merge. Some years ago I would have needed java-saml to be enhanced to properly support Italian SPID system, I've submitted some PRs, most of which have been merged, a couple of them are still there and one was never opened. Unfortunately, OneLogin lost interest in this project, Sixto changed his job, the new maintainers were absent, I even applied myself after being suggested by one of them, but things went in a different way. Probably this project should have been forked at that time, but I didn't have the necessary experience to do that. Now Sixto has come back as an independent maintainer, but it's clear that it is very low priority for him. I myself have changed job and I'm not into SAML and SPID any more, the latter now being pushed towards a migration to OpenID Connect, by the way (if it doesn't get dismissed before). Here I just tried to give my suggestions on how to implement this based on what I know about Sixto point of view, and what I would have done myself. I still believe a solution which does not require any code change for old code should be possible, but I also think that small adjustments could probably be made by Sixto himself if he's willing to. So, if I were you, I would seriously consider to fork this project and push the necessary changes the way you prefer. |
|
It is not a matter of low priority, I'm sorry about the big delay I gave to this project. As people may know, I maintain in my spare time not only java-saml, but php-saml, ruby-saml and python3-saml. And at the end of the day, it is a matter of time. I had in mind to push this project in December, but sadly I have had not the chance to do it yet. |
|
You can probably spot 1-2 people in this thread who you can give merge access to to get the ball rolling. No harm in merging and then iterating, throw out a rc and get heated feedback. |
|
@pitbulk Perhaps a bit to subtle given the lack of reply, but scrolling up here both @haavar (who mentioned being open to maintaining a fork) and @markkolich both sound like potential co-maintainers? |
|
@pitbulk Need this dependency for Waiting this to be merged. |
|
@markkolich coul you folllow up with comments so this PR can be merge? |
|
@jacqueskpoty no, I am not a maintainer of this library ... I have no merge permissions, I'm just a contributor who opened this PR. Please followup with @pitbulk. |
|
@pitbulk Is this PR going to be merged any time soon? |
There was a problem hiding this comment.
Can we completely remove the HttpRequest from core? I don't think it's too much to ask that the user extract the parameters and pass it to the library. That seems easier than for the user to understand how to configure the library for their version of the servlet API.
|
|
||
| import org.apache.commons.lang3.StringUtils; | ||
|
|
||
| public class HttpRequestUtils { |
There was a problem hiding this comment.
I don't see this class used anywhere in core. It should either be moved or removed.
There was a problem hiding this comment.
It's used in toolkit but not core.
However, I kept the utils in core so that they stay near the HttpRequest and HttpResponse interfaces given the close relationship between these classes and their usage:
| import java.util.HashMap; | ||
| import java.util.Map; | ||
|
|
||
| public class HttpResponseUtils { |
There was a problem hiding this comment.
I don't see this class used anywhere in core. It should either be moved or removed.
| @@ -625,7 +625,7 @@ public String login(String relayState, AuthnRequestParams authnRequestParams, Bo | |||
| parameters.put("SAMLRequest", samlRequest); | |||
|
|
|||
| if (relayState == null) { | |||
| relayState = ServletUtils.getSelfRoutedURLNoQuery(request); | |||
| relayState = HttpRequestUtils.getSelfRoutedURLNoQuery(request); | |||
| } | |||
There was a problem hiding this comment.
@haavar The HttpRequestUtils class is being used here and is heavily used throughout this BaseAuth class.
@haavar I disagree, but feel free to send a PR to my fork (e.g., markkolich#1) with your proposed changes and we can review+discuss. |
Another proposed solution for #349 and #115.
servlet-jakartaandservlet-javaxwhich provide differing implementations of the coreHttpRequestandHttpResponseinterfaces depending on the servlet container implementation where the library is consumedcoreandtoolkitcodecoreandtoolkit3.0.0With this change, if you're on a container pre-EE9, then you declare a dependency on:
If you're on an EE9 or later container, then you declare a dependency on:
Of course, this PR also opens the door to non-servlet container implementations, meaning someone in Akka, Play, etc. could use this library as well as long as they provide their own
HttpRequestandHttpResponseimplementation. The servlet API dependency incoreandtoolkithas been completely removed.Usage on pre-EE9 containers look like this:
EE9 and later usage looks like this: