From: Ray Lee Date: Mon, 25 Sep 2023 15:50:57 +0000 (-0400) Subject: Add SAML providers to CORS allowed hosts for logout. (#368) X-Git-Url: https://git.aero2k.de/?a=commitdiff_plain;h=b1b5fb06220dc5adcc9b0ff53f1b71a5e266e2a2;p=tmp%2Fjakarta-migration.git Add SAML providers to CORS allowed hosts for logout. (#368) --- diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java index 569f9f5eb..01d1fbe8b 100644 --- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java +++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java @@ -162,7 +162,7 @@ public class SecurityConfig { // Read explicitly configured allowed origins from service config. - List allowedOrigins = ConfigUtils.getCorsAllowedOrigins(serviceConfig); + List allowedOrigins = new ArrayList(ConfigUtils.getCorsAllowedOrigins(serviceConfig)); // Automatically add UI locations as allowed origins. @@ -261,6 +261,8 @@ public class SecurityConfig { Map corsConfigurations = new LinkedHashMap<>(); if (relyingPartiesConfig != null) { + List providerOrigins = new ArrayList<>(); + for (final SAMLRelyingPartyType relyingPartyConfig : relyingPartiesConfig) { String id = relyingPartyConfig.getId(); RelyingPartyRegistration registration = relyingPartyRegistrationRepository.findByRegistrationId(id); @@ -281,6 +283,8 @@ public class SecurityConfig { String responseUrl = "/login/saml2/sso/" + id; String providerOrigin = providerUrl.getProtocol() + "://" + providerUrl.getAuthority(); + providerOrigins.add(providerOrigin); + configuration.setAllowedOrigins(allowedOrigins); configuration.addAllowedOrigin(providerOrigin); @@ -295,6 +299,27 @@ public class SecurityConfig { corsConfigurations.put(responseUrl, configuration); } } + + if (ConfigUtils.isSAMLSingleLogoutEnabled(serviceConfig)) { + CorsConfiguration configuration = new CorsConfiguration(); + String responseUrl = "/logout/saml2/sso"; + + configuration.setAllowedOrigins(allowedOrigins); + + for (String providerOrigin : providerOrigins) { + configuration.addAllowedOrigin(providerOrigin); + } + + if (maxAge != null) { + configuration.setMaxAge(maxAge); + } + + configuration.setAllowedMethods(Arrays.asList( + HttpMethod.POST.toString() + )); + + corsConfigurations.put(responseUrl, configuration); + } } return corsConfigurations; diff --git a/services/config/src/main/java/org/collectionspace/services/common/config/ConfigUtils.java b/services/config/src/main/java/org/collectionspace/services/common/config/ConfigUtils.java index 121b426d6..8e4c848bb 100644 --- a/services/config/src/main/java/org/collectionspace/services/common/config/ConfigUtils.java +++ b/services/config/src/main/java/org/collectionspace/services/common/config/ConfigUtils.java @@ -187,6 +187,16 @@ public class ConfigUtils { return null; } + public static boolean isSAMLSingleLogoutEnabled(ServiceConfig serviceConfig) { + SAMLType saml = getSAML(serviceConfig); + + if (saml != null) { + return (saml.getSingleLogout() != null); + } + + return false; + } + public static List getSAMLRelyingPartyRegistrations(ServiceConfig serviceConfig) { SAMLType saml = getSAML(serviceConfig);