Fix #30648: redirect to app after login

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/auth/impl/KeycloakAuthenticationBackend.java

@@ -54,7 +54,7 @@
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
 import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy;
 import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
@@ -77,8 +77,6 @@
 import java.util.Map;
 import java.util.stream.Collectors;
 
-import static eu.openanalytics.containerproxy.ui.AuthController.AUTH_SUCCESS_URL;
-
 @Component
 public class KeycloakAuthenticationBackend implements IAuthenticationBackend {
 
@@ -94,6 +92,10 @@ public class KeycloakAuthenticationBackend implements IAuthenticationBackend {
 	@Lazy
 	AuthenticationManager authenticationManager;
 
+	@Inject
+	@Lazy
+	private SavedRequestAwareAuthenticationSuccessHandler successHandler;
+
 	@Override
 	public String getName() {
 		return NAME;
@@ -144,9 +146,7 @@ protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessin
 		KeycloakAuthenticationProcessingFilter filter = new KeycloakAuthenticationProcessingFilter(authenticationManager, requestMatcher);
 		filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
 		filter.setAuthenticationFailureHandler(keycloakAuthenticationFailureHandler());
-		SimpleUrlAuthenticationSuccessHandler handler = new SimpleUrlAuthenticationSuccessHandler(AUTH_SUCCESS_URL);
-		handler.setAlwaysUseDefaultTargetUrl(true);
-		filter.setAuthenticationSuccessHandler(handler);
+		filter.setAuthenticationSuccessHandler(successHandler);
 		// Fix: call afterPropertiesSet manually, because Spring doesn't invoke it for some reason.
 		filter.setApplicationContext(ctx);
 		filter.afterPropertiesSet();

src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java

@@ -31,6 +31,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.core.env.Environment;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -58,6 +59,7 @@
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
@@ -77,7 +79,6 @@
 import java.util.stream.Collectors;
 
 import static eu.openanalytics.containerproxy.auth.impl.oidc.OpenIDConfiguration.REG_ID;
-import static eu.openanalytics.containerproxy.ui.AuthController.AUTH_SUCCESS_URL;
 
 public class OpenIDAuthenticationBackend implements IAuthenticationBackend {
 
@@ -93,6 +94,10 @@ public class OpenIDAuthenticationBackend implements IAuthenticationBackend {
 	@Inject
 	private ClientRegistrationRepository clientRegistrationRepo;
 
+	@Inject
+	@Lazy
+	private SavedRequestAwareAuthenticationSuccessHandler successHandler;
+
 	private static OAuth2AuthorizedClientService oAuth2AuthorizedClientService;
 
 	@Autowired
@@ -116,11 +121,11 @@ public boolean hasAuthorization() {
 	@Override
 	public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestConfigurer) throws Exception {
 		anyRequestConfigurer.authenticated();
-		
+
 		http
 			.oauth2Login()
 				.loginPage("/login")
-				.defaultSuccessUrl(AUTH_SUCCESS_URL, true)
+				.successHandler(successHandler)
 				.clientRegistrationRepository(clientRegistrationRepo)
 				.authorizedClientService(oAuth2AuthorizedClientService)
 				.authorizationEndpoint()
@@ -141,7 +146,7 @@ public void onAuthenticationFailure(HttpServletRequest request, HttpServletRespo
 					.oidcUserService(createOidcUserService())
 				.and()
 			.and()
-				.addFilterAfter(openIdReAuthorizeFilter, UsernamePasswordAuthenticationFilter.class);
+			.addFilterAfter(openIdReAuthorizeFilter, UsernamePasswordAuthenticationFilter.class);
 	}
 
 	private OAuth2AuthorizationRequestResolver authorizationRequestResolver() {

src/main/java/eu/openanalytics/containerproxy/auth/impl/SAMLAuthenticationBackend.java

@@ -26,6 +26,7 @@
 import eu.openanalytics.containerproxy.util.ContextPathHelper;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.core.env.Environment;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
@@ -40,6 +41,7 @@
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
 import org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutRequestResolver;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@@ -76,6 +78,10 @@ public class SAMLAuthenticationBackend implements IAuthenticationBackend {
     @Inject
     private Saml2LogoutRequestResolver saml2LogoutRequestResolver;
 
+    @Inject
+    @Lazy
+    private SavedRequestAwareAuthenticationSuccessHandler successHandler;
+
     @Override
     public String getName() {
         return NAME;
@@ -99,7 +105,7 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon
                         .loginProcessingUrl(SAML_SERVICE_LOCATION_PATH)
                         .authenticationManager(new ProviderManager(samlAuthenticationProvider))
                         .failureHandler(failureHandler)
-                        .defaultSuccessUrl(AUTH_SUCCESS_URL, true))
+                        .successHandler(successHandler))
                 .saml2Logout(saml -> saml
                         .logoutUrl(SAML_LOGOUT_SERVICE_LOCATION_PATH)
                         .logoutResponse(r -> r.logoutUrl(SAML_LOGOUT_SERVICE_RESPONSE_LOCATION_PATH))

src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java

@@ -34,6 +34,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.core.env.Environment;
 import org.springframework.security.access.AccessDeniedException;
@@ -57,6 +58,7 @@
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
 import org.springframework.security.web.header.Header;
@@ -102,6 +104,10 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Autowired(required=false)
 	private List<ICustomSecurityConfig> customConfigs;
 
+	@Inject
+	@Lazy
+	private SavedRequestAwareAuthenticationSuccessHandler successHandler;
+
 	public static final String PROP_DISABLE_NO_SNIFF_HEADER = "proxy.api-security.disable-no-sniff-header";
 	public static final String PROP_DISABLE_HSTS_HEADER = "proxy.api-security.disable-hsts-header";
 	public static final String PROP_DISABLE_XSS_PROTECTION_HEADER = "proxy.api-security.disable-xss-protection-header";
@@ -233,7 +239,7 @@ public void handle(HttpServletRequest request, HttpServletResponse response, Acc
 			http
 				.formLogin()
 					.loginPage("/login")
-					.defaultSuccessUrl(AUTH_SUCCESS_URL, true) // TODO
+					.successHandler(successHandler)
 					.and()
 				.logout()
 					.logoutUrl(auth.getLogoutURL())
@@ -323,6 +329,13 @@ public AuthenticationManager authenticationManagerBean() throws Exception {
 		return super.authenticationManagerBean();
 	}
 
+	@Bean
+	public SavedRequestAwareAuthenticationSuccessHandler SavedRequestAwareAuthenticationSuccessHandler() {
+		SavedRequestAwareAuthenticationSuccessHandler savedRequestAwareAuthenticationSuccessHandler = new SavedRequestAwareAuthenticationSuccessHandler();
+		savedRequestAwareAuthenticationSuccessHandler.setDefaultTargetUrl(AUTH_SUCCESS_URL);
+		return savedRequestAwareAuthenticationSuccessHandler;
+	}
+
 	private List<Header> getCustomHeaders() {
 		List<Header> headers = new ArrayList<>();
 

src/main/java/eu/openanalytics/containerproxy/ui/AuthController.java

@@ -20,37 +20,28 @@
  */
 package eu.openanalytics.containerproxy.ui;
 
-import javax.inject.Inject;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
+import eu.openanalytics.containerproxy.api.BaseController;
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.impl.OpenIDAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.impl.SAMLAuthenticationBackend;
-import eu.openanalytics.containerproxy.auth.impl.saml.SAMLConfiguration;
 import org.springframework.core.env.Environment;
-import org.springframework.http.HttpHeaders;
-import org.springframework.http.MediaType;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.ModelMap;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
-
-import eu.openanalytics.containerproxy.api.BaseController;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
 import org.springframework.web.servlet.view.RedirectView;
 
-import java.io.IOException;
-import java.net.URLEncoder;
-import java.nio.charset.StandardCharsets;
+import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
 import java.util.Optional;
 
 @Controller
 public class AuthController extends BaseController {
 
 	public static final String AUTH_SUCCESS_URL = "/auth-success";
+	public static final String AUTH_SUCCESS_URL_SESSION_ATTR = "AUTH_SUCCESS_URL_SESSION_ATTR";
 
 	@Inject
 	private Environment environment;
@@ -79,9 +70,19 @@ public Object getLoginPage(@RequestParam Optional<String> error, ModelMap map) {
 	}
 
 	@RequestMapping(value = AUTH_SUCCESS_URL, method = RequestMethod.GET)
-	public String authSuccess(ModelMap map) {
+	public String authSuccess(ModelMap map, HttpServletRequest request) {
 		prepareMap(map);
-		map.put("mainPage", ServletUriComponentsBuilder.fromCurrentContextPath().build().toUriString());
+		map.put("url", ServletUriComponentsBuilder.fromCurrentContextPath().build().toUriString()); // default url
+
+		Object redirectUrl = request.getSession().getAttribute(AUTH_SUCCESS_URL_SESSION_ATTR);
+		if (redirectUrl instanceof String) {
+			request.getSession().removeAttribute(AUTH_SUCCESS_URL_SESSION_ATTR);
+			String sRedirectUrl = (String) redirectUrl;
+			// sanity check: does the redirect url start with the url of this current request
+			if (sRedirectUrl.startsWith(ServletUriComponentsBuilder.fromCurrentContextPath().build().toUriString())) {
+				map.put("url", redirectUrl);
+			}
+		}
 		return "auth-success";
 	}
 

src/main/resources/templates/auth-success.html

@@ -28,7 +28,8 @@
         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
         <script type="text/javascript" th:inline="javascript">
             history.pushState({}, "", new URL(location));
-            window.location.href = [[${mainPage}]];
+            window.location.href = [[${url}]];
         </script>
     </head>
+    Test
 </html>