Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix logoutRequestRepository not set on Saml2RelyingPartyInitiatedLogoutSuccessHandler #16093

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix logoutRequestRepository not set on Saml2RelyingPartyInitiatedLogoutSuccessHandler #16093

wants to merge 1 commit into from
+1 −0

Conversation

sawprogramming
Copy link

When using XML to configure Spring Security for SAML, the logoutRequestRepository is not set on the Saml2RelyingPartyInitiatedLogoutSuccessHandler like it should be. See how it is properly set using the Java DSL (:

private Saml2RelyingPartyInitiatedLogoutFilter createRelyingPartyLogoutFilter(
		RelyingPartyRegistrationRepository registrations) {
	LogoutHandler[] logoutHandlers = this.logoutHandlers.toArray(new LogoutHandler[0]);
	Saml2RelyingPartyInitiatedLogoutSuccessHandler logoutRequestSuccessHandler = createSaml2LogoutRequestSuccessHandler(
			registrations);
	logoutRequestSuccessHandler.setLogoutRequestRepository(this.logoutRequestConfigurer.logoutRequestRepository);
	Saml2RelyingPartyInitiatedLogoutFilter logoutFilter = new Saml2RelyingPartyInitiatedLogoutFilter(
			logoutRequestSuccessHandler, logoutHandlers);
	logoutFilter.setLogoutRequestMatcher(createLogoutMatcher());
	return postProcess(logoutFilter);
}

Without this fix, SAML configurations that use custom logout request repositories do not work for RP-initiated logouts.

@pivotal-cla
Copy link

@sawprogramming Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-cla
Copy link

@sawprogramming Thank you for signing the Contributor License Agreement!

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 14, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Nov 20, 2024

Thank you, @sawprogramming, for catching this. This seems to be a bug and so I'd like to apply it first to 6.2.x. Are you able to rebase your branch with 6.2.x?

Also, are you able to add a test to Saml2LogoutBeanDefinitionParserTests, like this one in the related Java Config commit?

I can also help with either or both, so please feel free to ask.

Finally, would you also change the commit title to resemble the one from that commit? You might do:

Set LogoutRequestRepository on Saml2 LogoutSuccessHandler in XML

Closes gh-16093

@jzheaux jzheaux self-assigned this Nov 20, 2024
@jzheaux jzheaux added in: config An issue in spring-security-config type: bug A general bug in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 20, 2024
@jzheaux jzheaux added this to the 6.2.x milestone Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jzheaux jzheaux

Labels
in: config An issue in spring-security-config in: saml2 An issue in SAML2 modules type: bug A general bug
Projects
None yet
Milestone
6.2.x
Development

Successfully merging this pull request may close these issues.
4 participants
@sawprogramming @pivotal-cla @jzheaux @spring-projects-issues