Send saml logout response even when validation errors happen #14676
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
|
Thanks for the PR, @1livv. This is going to take a little bit more work to maintain backward compatibility and also ensure that the APIs progress naturally. I'll get back to you soon with recommendations. |
| * The saml logout request failed validation | ||
| * @since 6.3 | ||
| */ | ||
| public static final String INVALID_LOGOUT_REQUEST = "invalid_logout_request"; |
There was a problem hiding this comment.
Let's please reuse INVALID_REQUEST
| * The saml logout response could not be generated | ||
| * @since 6.3 | ||
| */ | ||
| public static final String FAILED_TO_GENERATE_LOGOUT_RESPONSE = "failed_to_generate_logout_response"; |
There was a problem hiding this comment.
Please reuse INVALID_RESPONSE
| * The saml response or logout request was delivered via an invalid binding | ||
| * @since 6.3 | ||
| */ | ||
| public static final String INVALID_BINDING = "invalid_binding"; |
There was a problem hiding this comment.
Please reuse INVALID_REQUEST
| } | ||
| } | ||
|
|
||
| public void setLogoutRequestMatcher(RequestMatcher logoutRequestMatcher) { |
There was a problem hiding this comment.
See if you can avoid moving these, so that it's easier to identify the changes to fix the bug.
| * processed | ||
| * @return a signed and serialized SAML 2.0 Logout Response | ||
| */ | ||
| Saml2LogoutResponse resolve(HttpServletRequest request, Authentication authentication, |
There was a problem hiding this comment.
Please make this a default method so as to remain backward compatible. Given your implementation, I think returning null as a default would work.
| @@ -371,7 +371,7 @@ public void saml2LogoutRequestWhenLowercaseEncodingAndDifferentQueryParamOrderTh | |||
| } | |||
|
|
|||
| @Test | |||
| public void saml2LogoutRequestWhenNoRegistrationThen400() throws Exception { | |||
| public void saml2LogoutRequestWhenNoRegistrationThen401() throws Exception { | |||
There was a problem hiding this comment.
I'm not understanding the logic of this change. Can you please elaborate? Ideally, we leave tests as they are unless it is a bug.
| * The RP registration does not have configured a logout request endpoint | ||
| * @since 6.3 | ||
| */ | ||
| public static final String MISSING_LOGOUT_REQUEST_ENDPOINT = "missing_logout_request_endpoint"; |
There was a problem hiding this comment.
Let's please do something more like SERVER_ERROR.
| Saml2LogoutResponse errorLogoutResponse = this.logoutResponseResolver.resolve(request, authentication, ex); | ||
| if (errorLogoutResponse == null) { | ||
| this.logger.trace("Returning error since no error logout response could be generated", ex); | ||
| response.sendError(HttpServletResponse.SC_UNAUTHORIZED); |
There was a problem hiding this comment.
Please have this include the error message from the exception so that it gives the same information that this did
| verifyNoInteractions(getBean(LogoutHandler.class)); | ||
| } | ||
|
|
||
| @Test | ||
| public void saml2LogoutRequestWhenInvalidSamlRequestThen401() throws Exception { | ||
| public void saml2LogoutRequestWhenInvalidSamlRequestThen302Redirect() throws Exception { |
There was a problem hiding this comment.
Thank you, this makes sense to change this test since it is what the bug is about
jzheaux
added
status: waiting-for-feedback
|
Hi, @1livv, are you able to make the requested changes? |
|
Hey @jzheaux this slipped off my radar, i'll take a look in the next days. |
spring-projects-issues
added
status: feedback-provided
solves #14635