Add Saml2LogoutFilter

Author: jzheaux

docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc

@@ -1087,34 +1087,33 @@ RelyingPartyRegistrationRepository registrations() {
 @Bean
 SecurityFilterChain web(HttpSecurity http, RelyingPartyRegistrationRepository registrations) throws Exception {
 	RelyingPartyRegistrationResolver registrationResolver = new DefaultRelyingPartyRegistrationResolver(registrations);
+    LogoutHandler logoutHandler = logoutHandler(registrationResolver);
+    LogoutSuccessHandler successHandler = new SimpleUrlLogoutSuccessHandler();
 
     http
         .authorizeRequests((authorize) -> authorize
             .anyRequest().authenticated()
         )
         .saml2Login(withDefaults())
-        .logout((logout) -> logout.addLogoutHandler(logoutHandler(registrationResolver)))
-        .addFilterBefore(filter(registrationResolver), LogoutFilter.class)
-        .csrf((csrf) -> csrf.ignoringRequestMatchers(hasLogoutResponse("/logout", "POST")));
+        .addFilterBefore(new Saml2LogoutFilter(successHandler, logoutHandler), CsrfFilter.class)
+        .addFilterBefore(logoutRequestFilter(registrationResolver), LogoutFilter.class);
 
     return http.build();
 }
 
-private RequestMatcher hasLogoutResponse(String endpoint, String method) {
-	AntPathRequestMatcher logout = new AndPathRequestMatcher(endpoint, method);
-    return (request) -> logout.matches(request) && request.getParameter("SAMLResponse") != null;
-}
-
-private Filter filter(RelyingPartyRegistrationResolver registrationResolver) { <2>
+private Filter logoutRequestFilter(RelyingPartyRegistrationResolver registrationResolver) { <2>
     OpenSamlLogoutRequestResolver delegate = new OpenSamlLogoutRequestResolver(registrationResolver);
     Saml2LogoutRequestResolver logoutRequestResolver = (request, authentication) ->
             delegate.resolveLogoutRequest(request, authentication)
                     .logoutRequest((logoutRequest) -> logoutRequest.setIssueInstant(DateTime.now()));
-    return new Saml2RelyingPartyInitiatedLogoutFilter(logoutRequestResolver);
+    return new Saml2LogoutRequestFilter(logoutRequestResolver);
 }
 
 private LogoutHandler logoutHandler(RelyingPartyRegistrationResolver registrationResolver) { <3>
-    return new OpenSamlLogoutResponseHandler(relyingPartyRegistrationResolver);
+    return new CompositeLogoutHandler(
+    		new OpenSamlLogoutResponseHandler(relyingPartyRegistrationResolver),
+            new SecurityContextLogoutHandler(),
+            new LogoutSuccessEventPublishingLogoutHandler());
 }
 ----
 <1> - First, add your signing key to the `RelyingPartyRegistration` instance or to <<servlet-saml2login-rpr-duplicated,multiple instances>>
@@ -1156,36 +1155,32 @@ RelyingPartyRegistrationRepository registrations() {
 @Bean
 SecurityFilterChain web(HttpSecurity http, RelyingPartyRegistrationRepository registrations) throws Exception {
 	RelyingPartyRegistrationResolver registrationResolver = new DefaultRelyingPartyRegistrationResolver(registrations);
+    LogoutHandler logoutHandler = logoutHandler(registrationResolver);
+    LogoutSuccessHandler successHandler = logoutSuccessHandler(registrationResolver);
 
     http
         .authorizeRequests((authorize) -> authorize
             .anyRequest().authenticated()
         )
         .saml2Login(withDefaults())
-        .logout((logout) -> logout
-            .addLogoutHandler(logoutHandler(registrationResolver))
-            .logoutSuccessHandler(logoutSuccessHandler(registrationResolver))
-        )
-        .csrf((csrf) -> csrf.ignoringRequestMatchers(hasLogoutRequest("/logout", "POST")));
+        .addFilterBefore(new Saml2LogoutFilter(successHandler, logoutHandler), CsrfFilter.class);
 
     return http.build();
 }
 
-private RequestMatcher hasLogoutRequest(String endpoint, String method) {
-	AntPathRequestMatcher logout = new AndPathRequestMatcher(endpoint, method);
-    return (request) -> logout.matches(request) && request.getParameter("SAMLRequest") != null;
-}
-
 private LogoutHandler logoutHandler(RelyingPartyRegistrationResolver registrationResolver) { <2>
-    return new OpenSamlLogoutRequestHandler(relyingPartyRegistrationResolver);
+    return new CompositeLogoutHandler(
+    		new OpenSamlLogoutRequestHandler(relyingPartyRegistrationResolver),
+            new SecurityContextLogoutHandler(),
+            new LogoutSuccessEventPublishingLogoutHandler());
 }
 
 private LogoutSuccessHandler logoutSuccessHandler(RelyingPartyRegistrationResolver registrationResolver) { <3>
     OpenSamlLogoutResponseResolver delegate = new OpenSamlLogoutResponseResolver(registrationResolver);
     Saml2LogoutResponsetResolver logoutResponseResolver = (request, authentication) ->
             delegate.resolveLogoutResponse(request, authentication)
                     .logoutResponse((logoutResponse) -> logoutResponse.setIssueInstant(DateTime.now()));
-    return new Saml2AssertingPartyInitiatedLogoutSuccessHandler(logoutResponseResolver);
+    return new Saml2ResponseLogoutSuccessHandler(logoutResponseResolver);
 }
 ----
 <1> - First, add your signing key to the `RelyingPartyRegistration` instance or to <<servlet-saml2login-rpr-duplicated,multiple instances>>
@@ -1212,40 +1207,26 @@ In the event that you need to support both logout flows, you can combine the abo
 
 There are two default endpoints that Spring Security's SAML 2.0 Single Logout support exposes:
 * `/saml2/logout` - the endpoint for initiating single logout with an asserting party
-* `/logout` - the endpoint for receiving logout requests and responses from an asserting party
+* `/logout/saml2` - the endpoint for receiving logout requests and responses from an asserting party
 
 Because the user is already logged in, the `registrationId` is already known.
 For this reason, `+{registrationId}+` is not part of these URLs by default.
 
 The first URL is not customizable at this point since this is not a URL that gets configured with the asserting party.
 As such the need to customize this endpoint is minimal, though this can be added to the support down the road.
 
-The second URL is customizable through Spring Security's <<jc-logout,general-purpose logout support>>.
+The second URL is customizable in the `Saml2LogoutFilter`.
 
 For example, if you are migrating your existing relying party over to Spring Security, your asserting party may already be pointing to `GET /SLOService.saml2`.
 To reduce changes in configuration for the asserting party, you can configure `logout` in the DSL like so:
 
 [source,java]
 ----
+Saml2LogoutFilter filter = new Saml2LogoutFilter(logoutSuccessHandler, logoutHandler);
+filter.setLogoutRequestMatcher(new AntPathRequestMatcher("/SLOService.saml2", "GET"));
 http
     // ...
-    .logout((logout) -> logout
-        .logoutRequestMatcher(new AntPathRequestMatcher("/SLOService.saml2", "POST"))
-        // add logout handlers
-    );
-----
-
-In redirect circumstances it's important to maintain your defense mechanisms for CSRF Logout.
-You can configure your SAML 2.0 logout as a GET by only matching when there is a `SAMLRequest` (or `SAMLResponse`) present, like so:
-
-[source,java]
-----
-http
-    // ...
-    .logout((logout) -> logout
-        .logoutRequestMatcher(hasLogoutRequest("/SLOService.saml2", "GET"))
-        // add logout handlers
-    );
+    .addFilterBefore(filter, CsrfFilter.class);
 ----
 
 === Customizing `<saml2:LogoutRequest>` Resolution

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java

@@ -1004,9 +1004,9 @@ public static final class Builder {
 
 		private Saml2MessageBinding assertionConsumerServiceBinding = Saml2MessageBinding.POST;
 
-		private String singleLogoutServiceLocation = "{baseUrl}/logout";
+		private String singleLogoutServiceLocation = "{baseUrl}/logout/saml2";
 
-		private String singleLogoutServiceResponseLocation = "{baseUrl}/logout";
+		private String singleLogoutServiceResponseLocation = "{baseUrl}/logout/saml2";
 
 		private Saml2MessageBinding singleLogoutServiceBinding = Saml2MessageBinding.POST;
 

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutFilter.java

@@ -0,0 +1,91 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.web.authentication.logout;
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.logout.CompositeLogoutHandler;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.Assert;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+/**
+ * A filter for handling logout requests in the form of a <saml2:LogoutRequest> or a
+ * <saml2:LogoutResponse>.
+ *
+ * @author Josh Cummings
+ * @since 5.5
+ */
+public class Saml2LogoutFilter extends OncePerRequestFilter {
+
+	private static final String DEFAULT_LOGOUT_ENDPOINT = "/logout/saml2";
+
+	private RequestMatcher logoutRequestMatcher = new AntPathRequestMatcher(DEFAULT_LOGOUT_ENDPOINT);
+
+	private final LogoutHandler logoutHandler;
+
+	private final LogoutSuccessHandler logoutSuccessHandler;
+
+	public Saml2LogoutFilter(LogoutSuccessHandler logoutSuccessHandler, LogoutHandler... logoutHandler) {
+		this.logoutSuccessHandler = logoutSuccessHandler;
+		this.logoutHandler = new CompositeLogoutHandler(logoutHandler);
+	}
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+			throws ServletException, IOException {
+
+		if (!this.logoutRequestMatcher.matches(request)) {
+			chain.doFilter(request, response);
+			return;
+		}
+
+		if (!hasSamlRequestOrResponse(request)) {
+			chain.doFilter(request, response);
+			return;
+		}
+
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		if (authentication == null) {
+			chain.doFilter(request, response);
+			return;
+		}
+
+		this.logoutHandler.logout(request, response, authentication);
+		this.logoutSuccessHandler.onLogoutSuccess(request, response, authentication);
+	}
+
+	public void setLogoutRequestMatcher(RequestMatcher logoutRequestMatcher) {
+		Assert.notNull(logoutRequestMatcher, "logoutRequestMatcher cannot be null");
+		this.logoutRequestMatcher = logoutRequestMatcher;
+	}
+
+	private boolean hasSamlRequestOrResponse(HttpServletRequest request) {
+		return request.getParameter("SAMLRequest") != null || request.getParameter("SAMLResponse") != null;
+	}
+
+}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2RelyingPartyInitiatedLogoutFilter.java renamed to saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutRequestFilter.java

@@ -50,7 +50,7 @@
  * @author Josh Cummings
  * @since 5.5
  */
-public final class Saml2RelyingPartyInitiatedLogoutFilter extends OncePerRequestFilter {
+public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
 
 	private RequestMatcher logoutRequestMatcher = new AntPathRequestMatcher("/saml2/logout", "POST");
 
@@ -59,11 +59,10 @@ public final class Saml2RelyingPartyInitiatedLogoutFilter extends OncePerRequest
 	private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
 
 	/**
-	 * Constructs a {@link Saml2RelyingPartyInitiatedLogoutFilter} with the provided
-	 * parameters
+	 * Constructs a {@link Saml2LogoutRequestFilter} with the provided parameters
 	 * @param logoutRequestResolver the {@link Saml2LogoutRequestResolver} to use
 	 */
-	public Saml2RelyingPartyInitiatedLogoutFilter(Saml2LogoutRequestResolver logoutRequestResolver) {
+	public Saml2LogoutRequestFilter(Saml2LogoutRequestResolver logoutRequestResolver) {
 		Assert.notNull(logoutRequestResolver, "logoutRequestResolver cannot be null");
 		this.logoutRequestResolver = logoutRequestResolver;
 	}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2AssertingPartyInitiatedLogoutSuccessHandler.java renamed to saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2ResponseLogoutSuccessHandler.java

@@ -43,18 +43,18 @@
  * @author Josh Cummings
  * @since 5.5
  */
-public final class Saml2AssertingPartyInitiatedLogoutSuccessHandler implements LogoutSuccessHandler {
+public final class Saml2ResponseLogoutSuccessHandler implements LogoutSuccessHandler {
 
 	private final Saml2LogoutResponseResolver logoutResponseResolver;
 
 	private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
 
 	/**
-	 * Constructs a {@link Saml2AssertingPartyInitiatedLogoutSuccessHandler} using the
-	 * provided parameters
+	 * Constructs a {@link Saml2ResponseLogoutSuccessHandler} using the provided
+	 * parameters
 	 * @param logoutResponseResolver the {@link Saml2LogoutResponseResolver} to use
 	 */
-	public Saml2AssertingPartyInitiatedLogoutSuccessHandler(Saml2LogoutResponseResolver logoutResponseResolver) {
+	public Saml2ResponseLogoutSuccessHandler(Saml2LogoutResponseResolver logoutResponseResolver) {
 		this.logoutResponseResolver = logoutResponseResolver;
 	}
 

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/DefaultRelyingPartyRegistrationResolverTests.java

@@ -52,8 +52,8 @@ public void resolveWhenRequestContainsRegistrationIdThenResolves() {
 				.isEqualTo("http://localhost/saml2/service-provider-metadata/" + this.registration.getRegistrationId());
 		assertThat(registration.getAssertionConsumerServiceLocation())
 				.isEqualTo("http://localhost/login/saml2/sso/" + this.registration.getRegistrationId());
-		assertThat(registration.getSingleLogoutServiceLocation()).isEqualTo("http://localhost/logout");
-		assertThat(registration.getSingleLogoutServiceResponseLocation()).isEqualTo("http://localhost/logout");
+		assertThat(registration.getSingleLogoutServiceLocation()).isEqualTo("http://localhost/logout/saml2");
+		assertThat(registration.getSingleLogoutServiceResponseLocation()).isEqualTo("http://localhost/logout/saml2");
 	}
 
 	@Test