Fix #25862: allow using SpEL in openid.logout-url

This is useful to provide the `id_token_hint` parameter.

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/auth/IAuthenticationBackend.java

@@ -27,6 +27,8 @@
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.AuthorizedUrl;
 
 import eu.openanalytics.containerproxy.model.spec.ContainerSpec;
+import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
 
 public interface IAuthenticationBackend {
 
@@ -39,7 +41,7 @@ public interface IAuthenticationBackend {
 	 * Return true if this authentication backend supports authorization.
 	 * In this context, authorization means the separation of permission levels
 	 * via groups.
-	 * 
+	 *
 	 * If there is no authorization, all users have the same (administrator) permissions.
 	 */
 	public boolean hasAuthorization();
@@ -70,5 +72,10 @@ public default void customizeContainer(ContainerSpec spec) {
 	public default void customizeContainerEnv(Map<String, String> env) {
 		// Default: do nothing.
 	}
-	
+
+	public default LogoutSuccessHandler getLogoutSuccessHandler() {
+		SimpleUrlLogoutSuccessHandler urlLogoutHandler = new SimpleUrlLogoutSuccessHandler();
+		urlLogoutHandler.setDefaultTargetUrl(getLogoutSuccessURL());
+		return urlLogoutHandler;
+	}
 }

src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java

@@ -22,6 +22,8 @@
 
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
 import eu.openanalytics.containerproxy.security.FixedDefaultOAuth2AuthorizationRequestResolver;
+import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
+import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
 import eu.openanalytics.containerproxy.util.SessionHelper;
 import net.minidev.json.JSONArray;
 import net.minidev.json.parser.JSONParser;
@@ -54,6 +56,7 @@
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
@@ -150,6 +153,17 @@ public void customizeContainerEnv(Map<String, String> env) {
 
 		env.put(ENV_TOKEN_NAME, client.getAccessToken().getTokenValue());
 	}
+
+	@Inject
+	private SpecExpressionResolver specExpressionResolver;
+
+	@Override
+	public LogoutSuccessHandler getLogoutSuccessHandler() {
+		return (request, response, authentication) -> {
+			SpecExpressionContext context = SpecExpressionContext.create(authentication.getPrincipal(), authentication.getCredentials());
+			response.sendRedirect(specExpressionResolver.evaluateToString(getLogoutSuccessURL(), context));
+		};
+	}
 
 	protected ClientRegistrationRepository createClientRepo() {
 		Set<String> scopes = new HashSet<>();

src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java

@@ -38,8 +38,11 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
+import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
 import org.springframework.security.web.header.writers.StaticHeadersWriter;
@@ -166,8 +169,8 @@ public void handle(HttpServletRequest request, HttpServletResponse response, Acc
 					// important: set the next option after logoutUrl because it would otherwise get overwritten
 					.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
 					.addLogoutHandler(logoutHandler)
-					.logoutSuccessUrl(auth.getLogoutSuccessURL());
-			
+					.logoutSuccessHandler(auth.getLogoutSuccessHandler());
+
 			// Enable basic auth for RESTful calls when APISecurityConfig is not enabled.
 			http.addFilter(new BasicAuthenticationFilter(super.authenticationManagerBean()));
 		}