Fix #30568: prevent going back to IDP page

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/auth/impl/KeycloakAuthenticationBackend.java

@@ -77,6 +77,8 @@
 import java.util.Map;
 import java.util.stream.Collectors;
 
+import static eu.openanalytics.containerproxy.ui.AuthController.AUTH_SUCCESS_URL;
+
 @Component
 public class KeycloakAuthenticationBackend implements IAuthenticationBackend {
 
@@ -142,7 +144,7 @@ protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessin
 		KeycloakAuthenticationProcessingFilter filter = new KeycloakAuthenticationProcessingFilter(authenticationManager, requestMatcher);
 		filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
 		filter.setAuthenticationFailureHandler(keycloakAuthenticationFailureHandler());
-		SimpleUrlAuthenticationSuccessHandler handler = new SimpleUrlAuthenticationSuccessHandler("/");
+		SimpleUrlAuthenticationSuccessHandler handler = new SimpleUrlAuthenticationSuccessHandler(AUTH_SUCCESS_URL);
 		handler.setAlwaysUseDefaultTargetUrl(true);
 		filter.setAuthenticationSuccessHandler(handler);
 		// Fix: call afterPropertiesSet manually, because Spring doesn't invoke it for some reason.

src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java

@@ -77,6 +77,7 @@
 import java.util.stream.Collectors;
 
 import static eu.openanalytics.containerproxy.auth.impl.oidc.OpenIDConfiguration.REG_ID;
+import static eu.openanalytics.containerproxy.ui.AuthController.AUTH_SUCCESS_URL;
 
 public class OpenIDAuthenticationBackend implements IAuthenticationBackend {
 
@@ -119,7 +120,7 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon
 		http
 			.oauth2Login()
 				.loginPage("/login")
-				.defaultSuccessUrl("/", true)
+				.defaultSuccessUrl(AUTH_SUCCESS_URL, true)
 				.clientRegistrationRepository(clientRegistrationRepo)
 				.authorizedClientService(oAuth2AuthorizedClientService)
 				.authorizationEndpoint()

src/main/java/eu/openanalytics/containerproxy/auth/impl/SAMLAuthenticationBackend.java

@@ -55,6 +55,7 @@
 import static eu.openanalytics.containerproxy.auth.impl.saml.SAMLConfiguration.SAML_LOGOUT_SERVICE_LOCATION_PATH;
 import static eu.openanalytics.containerproxy.auth.impl.saml.SAMLConfiguration.SAML_LOGOUT_SERVICE_RESPONSE_LOCATION_PATH;
 import static eu.openanalytics.containerproxy.auth.impl.saml.SAMLConfiguration.SAML_SERVICE_LOCATION_PATH;
+import static eu.openanalytics.containerproxy.ui.AuthController.AUTH_SUCCESS_URL;
 
 @Component
 @ConditionalOnProperty(name = "proxy.authentication", havingValue = "saml")
@@ -98,7 +99,7 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon
                         .loginProcessingUrl(SAML_SERVICE_LOCATION_PATH)
                         .authenticationManager(new ProviderManager(samlAuthenticationProvider))
                         .failureHandler(failureHandler)
-                        .defaultSuccessUrl("/", true))
+                        .defaultSuccessUrl(AUTH_SUCCESS_URL, true))
                 .saml2Logout(saml -> saml
                         .logoutUrl(SAML_LOGOUT_SERVICE_LOCATION_PATH)
                         .logoutResponse(r -> r.logoutUrl(SAML_LOGOUT_SERVICE_RESPONSE_LOCATION_PATH))

src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java

@@ -75,6 +75,7 @@
 import java.util.List;
 import java.util.Set;
 
+import static eu.openanalytics.containerproxy.ui.AuthController.AUTH_SUCCESS_URL;
 import static eu.openanalytics.containerproxy.ui.TemplateResolverConfig.PROP_CORS_ALLOWED_ORIGINS;
 
 @Configuration
@@ -232,7 +233,7 @@ public void handle(HttpServletRequest request, HttpServletResponse response, Acc
 			http
 				.formLogin()
 					.loginPage("/login")
-					.defaultSuccessUrl("/", true)
+					.defaultSuccessUrl(AUTH_SUCCESS_URL, true) // TODO
 					.and()
 				.logout()
 					.logoutUrl(auth.getLogoutURL())

src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java

@@ -50,6 +50,8 @@
 @Controller
 public class AuthController extends BaseController {
 
+	public static final String AUTH_SUCCESS_URL = "/auth-success";
+
 	@Inject
 	private Environment environment;
 
@@ -76,6 +78,13 @@ public Object getLoginPage(@RequestParam Optional<String> error, ModelMap map) {
 		}
 	}
 
+	@RequestMapping(value = AUTH_SUCCESS_URL, method = RequestMethod.GET)
+	public String authSuccess(ModelMap map) {
+		prepareMap(map);
+		map.put("mainPage", ServletUriComponentsBuilder.fromCurrentContextPath().build().toUriString());
+		return "auth-success";
+	}
+
 	@RequestMapping(value = "/auth-error", method = RequestMethod.GET)
 	public String getAuthErrorPage(ModelMap map) {
 		prepareMap(map);

src/main/resources/templates/auth-success.html

@@ -0,0 +1,34 @@
+<!--
+
+    ContainerProxy
+
+    Copyright (C) 2016-2023 Open Analytics
+
+    ===========================================================================
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the Apache License as published by
+    The Apache Software Foundation, either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    Apache License for more details.
+
+    You should have received a copy of the Apache License
+    along with this program.  If not, see <http://www.apache.org/licenses/>
+
+-->
+<!DOCTYPE html>
+<html
+        xmlns:th="http://www.thymeleaf.org">
+    <head lang="en">
+        <title th:text="${title}"></title>
+        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
+        <script type="text/javascript" th:inline="javascript">
+            history.pushState({}, "", new URL(location));
+            window.location.href = [[${mainPage}]];
+        </script>
+    </head>
+</html>