git.aero2k.de Git - tmp/jakarta-migration.git/blob

   1 package org.collectionspace.authentication.spring;
   2
   3 import java.util.Set;
   4
   5 import javax.servlet.http.HttpServletRequest;
   6 import javax.servlet.http.HttpServletResponse;
   7
   8 import org.slf4j.Logger;
   9 import org.slf4j.LoggerFactory;
  10 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
  11
  12 /**
  13  * A LogoutSuccessHandler that reads the post-logout redirect URL from a parameter in the logout
  14  * request. As an anti-phishing security measure, the URL is checked against a list of permitted
  15  * redirect URLs (originating from tenant binding configuration or OAuth client configuration).
  16  */
  17 public class CSpaceLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
  18         final Logger logger = LoggerFactory.getLogger(CSpaceLogoutSuccessHandler.class);
  19
  20   public static final String REDIRECT_PARAMETER_NAME = "redirect";
  21
  22   private Set<String> permittedRedirectUris;
  23
  24   public CSpaceLogoutSuccessHandler(String defaultTargetUrl, Set<String> permittedRedirectUris) {
  25     super();
  26
  27     this.setDefaultTargetUrl(defaultTargetUrl);
  28
  29     this.permittedRedirectUris = permittedRedirectUris;
  30   }
  31
  32   @Override
  33   protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response) {
  34     String redirectUrl = request.getParameter(REDIRECT_PARAMETER_NAME);
  35
  36     if (redirectUrl != null && !isPermitted(redirectUrl)) {
  37       logger.warn("Logout redirect url not permitted: {}", redirectUrl);
  38
  39       redirectUrl = null;
  40     }
  41
  42     return (redirectUrl != null)
  43       ? redirectUrl
  44       : super.determineTargetUrl(request, response);
  45   }
  46
  47   private boolean isPermitted(String redirectUrl) {
  48     return permittedRedirectUris.contains(redirectUrl);
  49   }
  50 }