Spring Security SAML

org.springframework.security.saml
Class SAMLLogoutFilter

java.lang.Object
  extended by org.springframework.web.filter.GenericFilterBean
      extended by org.springframework.security.web.authentication.logout.LogoutFilter
          extended by org.springframework.security.saml.SAMLLogoutFilter
All Implemented Interfaces:
Filter, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.web.context.ServletContextAware

public class SAMLLogoutFilter
extends org.springframework.security.web.authentication.logout.LogoutFilter

Logout filter leveraging SAML 2.0 Single Logout profile. Upon invocation of the filter URL it is determined whether global (termination of all participating sessions) or local (termination of only session running within Spring Security) logout is requested based on request attribute.

In case global logout is in question a LogoutRequest is sent to the IDP.

Author:
Vladimir Schäfer

Field Summary
protected  SAMLContextProvider contextProvider
           
static String FILTER_URL
          URL this filter processes
protected  org.springframework.security.web.authentication.logout.LogoutHandler[] globalHandlers
          Handlers to be invoked during logout.
protected static String LOGOUT_PARAMETER
          Name of parameter of HttpRequest indicating whether this call should perform only local logout.
protected  SingleLogoutProfile profile
           
protected  SAMLLogger samlLogger
           
 
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
 
Constructor Summary
SAMLLogoutFilter(org.springframework.security.web.authentication.logout.LogoutSuccessHandler logoutSuccessHandler, org.springframework.security.web.authentication.logout.LogoutHandler[] localHandler, org.springframework.security.web.authentication.logout.LogoutHandler[] globalHandlers)
          Default constructor.
SAMLLogoutFilter(String successUrl, org.springframework.security.web.authentication.logout.LogoutHandler[] localHandler, org.springframework.security.web.authentication.logout.LogoutHandler[] globalHandlers)
          Default constructor.
 
Method Summary
 void afterPropertiesSet()
          Verifies that required entities were autowired or set.
 void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
           
protected  boolean isGlobalLogout(HttpServletRequest request, org.springframework.security.core.Authentication auth)
          Performs global logout in case current user logged in using SAML and user hasn't selected local logout only
 void processLogout(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
          In case request parameter of name "local" is set to true or there is no authenticated user only local logout will be performed and user will be redirected to the success page.
protected  boolean requiresLogout(HttpServletRequest request, HttpServletResponse response)
          The filter will be used in case the URL of the request contains the DEFAULT_FILTER_URL.
 void setContextProvider(SAMLContextProvider contextProvider)
          Sets entity responsible for populating local entity context data.
 void setProfile(SingleLogoutProfile profile)
          Profile for consumption of processed messages, cannot be null, must be set.
 void setSamlLogger(SAMLLogger samlLogger)
          Logger for SAML events, cannot be null, must be set.
 
Methods inherited from class org.springframework.security.web.authentication.logout.LogoutFilter
getFilterProcessesUrl, setFilterProcessesUrl
 
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

profile

protected SingleLogoutProfile profile

samlLogger

protected SAMLLogger samlLogger

contextProvider

protected SAMLContextProvider contextProvider

LOGOUT_PARAMETER

protected static final String LOGOUT_PARAMETER
Name of parameter of HttpRequest indicating whether this call should perform only local logout. In case the value is true no global logout will be invoked.

See Also:
Constant Field Values

globalHandlers

protected org.springframework.security.web.authentication.logout.LogoutHandler[] globalHandlers
Handlers to be invoked during logout.


FILTER_URL

public static final String FILTER_URL
URL this filter processes

See Also:
Constant Field Values
Constructor Detail

SAMLLogoutFilter

public SAMLLogoutFilter(String successUrl,
                        org.springframework.security.web.authentication.logout.LogoutHandler[] localHandler,
                        org.springframework.security.web.authentication.logout.LogoutHandler[] globalHandlers)
Default constructor.

Parameters:
successUrl - url to use after logout in case of local logout
localHandler - handlers to be invoked when local logout is selected
globalHandlers - handlers to be invoked when global logout is selected

SAMLLogoutFilter

public SAMLLogoutFilter(org.springframework.security.web.authentication.logout.LogoutSuccessHandler logoutSuccessHandler,
                        org.springframework.security.web.authentication.logout.LogoutHandler[] localHandler,
                        org.springframework.security.web.authentication.logout.LogoutHandler[] globalHandlers)
Default constructor.

Parameters:
logoutSuccessHandler - handler to invoke upon successful logout
localHandler - handlers to be invoked when local logout is selected
globalHandlers - handlers to be invoked when global logout is selected
Method Detail

doFilter

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
              throws IOException,
                     ServletException
Specified by:
doFilter in interface Filter
Overrides:
doFilter in class org.springframework.security.web.authentication.logout.LogoutFilter
Throws:
IOException
ServletException

processLogout

public void processLogout(HttpServletRequest request,
                          HttpServletResponse response,
                          FilterChain chain)
                   throws IOException,
                          ServletException
In case request parameter of name "local" is set to true or there is no authenticated user only local logout will be performed and user will be redirected to the success page. Otherwise global logout procedure is initialized.

Parameters:
request - http request
response - http response
chain - chain
Throws:
IOException - error
ServletException - error

requiresLogout

protected boolean requiresLogout(HttpServletRequest request,
                                 HttpServletResponse response)
The filter will be used in case the URL of the request contains the DEFAULT_FILTER_URL.

Overrides:
requiresLogout in class org.springframework.security.web.authentication.logout.LogoutFilter
Parameters:
request - request used to determine whether to enable this filter
Returns:
true if this filter should be used

isGlobalLogout

protected boolean isGlobalLogout(HttpServletRequest request,
                                 org.springframework.security.core.Authentication auth)
Performs global logout in case current user logged in using SAML and user hasn't selected local logout only

Parameters:
request - request
auth - currently logged in user
Returns:
true if single logout with IDP is required

setSamlLogger

@Autowired
public void setSamlLogger(SAMLLogger samlLogger)
Logger for SAML events, cannot be null, must be set.

Parameters:
samlLogger - logger

setProfile

@Autowired
public void setProfile(SingleLogoutProfile profile)
Profile for consumption of processed messages, cannot be null, must be set.

Parameters:
profile - profile

setContextProvider

@Autowired
public void setContextProvider(SAMLContextProvider contextProvider)
Sets entity responsible for populating local entity context data. Cannot be null, must be set.

Parameters:
contextProvider - provider implementation

afterPropertiesSet

public void afterPropertiesSet()
                        throws ServletException
Verifies that required entities were autowired or set.

Specified by:
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
Overrides:
afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean
Throws:
ServletException

Spring Security SAML