Coverage Report

Coverage Report - org.kuali.student.security.filter.KSLogoutFilter

Classes in this File

0/60

0/20

 /**
  * Copyright 2010 The Kuali Foundation Licensed under the
  * Educational Community License, Version 2.0 (the "License"); you may
  * not use this file except in compliance with the License. You may
  * obtain a copy of the License at
  *
  * http://www.osedu.org/licenses/ECL-2.0
  *
  * abUnless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an "AS IS"
  * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
  * or implied. See the License for the specific language governing
  * permissions and limitations under the License.
  */
 
 package org.kuali.student.security.filter;
 
 import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.security.Authentication;
 import org.springframework.security.context.SecurityContextHolder;
 import org.springframework.security.ui.FilterChainOrder;
 import org.springframework.security.ui.SpringSecurityFilter;
 import org.springframework.security.ui.logout.LogoutHandler;
 import org.springframework.security.ui.logout.SecurityContextLogoutHandler;
 import org.springframework.security.util.RedirectUtils;
 import org.springframework.security.util.UrlUtils;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
 /**
  * This is a description of what this class does - Rich don't forget to fill this in. 
  * 
  * @author Kuali Rice Team (kuali-rice@googlegroups.com)
  *
  */
 public class KSLogoutFilter extends SpringSecurityFilter {
 
     private String filterProcessesUrl = "/j_spring_security_logout";
     private String logoutSuccessUrl = "/";
     private LogoutHandler[] handlers;
     private boolean useRelativeContext;
     String invalidateSession = "true";
     
     public KSLogoutFilter(){
         handlers = new SecurityContextLogoutHandler[1];
         SecurityContextLogoutHandler sclh = new SecurityContextLogoutHandler();
         if ("true".equals(invalidateSession)) {
             sclh.setInvalidateHttpSession(true);
         } else {
             sclh.setInvalidateHttpSession(false);
         }
         handlers[0] = sclh;
     }
     
     public KSLogoutFilter(String logoutSuccessUrl, LogoutHandler[] handlers) {
         Assert.notEmpty(handlers, "LogoutHandlers are required");
         this.logoutSuccessUrl = logoutSuccessUrl;
         Assert.isTrue(UrlUtils.isValidRedirectUrl(logoutSuccessUrl), logoutSuccessUrl + " isn't a valid redirect URL");
         this.handlers = handlers;
     }
 
     public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException,
             ServletException {
 
         if (requiresLogout(request, response)) {
             Authentication auth = SecurityContextHolder.getContext().getAuthentication();
 
             if (logger.isDebugEnabled()) {
                 logger.debug("Logging out user '" + auth + "' and redirecting to logout page");
             }
 
             for (int i = 0; i < handlers.length; i++) {
                 handlers[i].logout(request, response, auth);
             }
 
             String targetUrl = determineTargetUrl(request, response);
 
             sendRedirect(request, response, targetUrl);
 
             return;
         }
 
         chain.doFilter(request, response);
     }
 
     /**
      * Allow subclasses to modify when a logout should take place.
      *
      * @param request the request
      * @param response the response
      *
      * @return <code>true</code> if logout should occur, <code>false</code> otherwise
      */
     protected boolean requiresLogout(HttpServletRequest request, HttpServletResponse response) {
         String uri = request.getRequestURI();
         int pathParamIndex = uri.indexOf(';');
 
         if (pathParamIndex > 0) {
             // strip everything from the first semi-colon
             uri = uri.substring(0, pathParamIndex);
         }
 
         int queryParamIndex = uri.indexOf('?');
 
         if (queryParamIndex > 0) {
             // strip everything from the first question mark
             uri = uri.substring(0, queryParamIndex);
         }
 
         if ("".equals(request.getContextPath())) {
             return uri.endsWith(filterProcessesUrl);
         }
         
         //return uri.endsWith(request.getContextPath() + filterProcessesUrl);
         
         // we are setting the logout url j_spring_security_logout in gwt by doing a window assing.url
         // this does not take context into account. if we can change that then we can go back to the line above
         return uri.endsWith(filterProcessesUrl);
     }
     
     
     /**
      * Returns the target URL to redirect to after logout.
      * <p>
      * By default it will check for a <tt>logoutSuccessUrl</tt> parameter in
      * the request and use this. If that isn't present it will use the configured <tt>logoutSuccessUrl</tt>. If this
      * hasn't been set it will check the Referer header and use the URL from there.
      *
      */
     protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response) {
         String targetUrl = request.getParameter("logoutSuccessUrl");
 
         if(!StringUtils.hasLength(targetUrl)) {
             targetUrl = getLogoutSuccessUrl();
         }
 
         if (!StringUtils.hasLength(targetUrl)) {
             targetUrl = request.getHeader("Referer");
         }        
 
         if (!StringUtils.hasLength(targetUrl)) {
             targetUrl = "/";
         }
 
         return targetUrl;
     }
 
     /**
      * Allow subclasses to modify the redirection message.
      *
      * @param request  the request
      * @param response the response
      * @param url      the URL to redirect to
      *
      * @throws IOException in the event of any failure
      */
     protected void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url)
             throws IOException {
 
         RedirectUtils.sendRedirect(request, response, url, useRelativeContext);
     }
 
     public void setFilterProcessesUrl(String filterProcessesUrl) {
         Assert.hasText(filterProcessesUrl, "FilterProcessesUrl required");
         Assert.isTrue(UrlUtils.isValidRedirectUrl(filterProcessesUrl), filterProcessesUrl + " isn't a valid redirect URL");
         this.filterProcessesUrl = filterProcessesUrl;
     }
 
     protected String getLogoutSuccessUrl() {
         return logoutSuccessUrl;
     }    
     
     public void setLogoutSuccessUrl(String logoutSuccessUrl){
         this.logoutSuccessUrl = logoutSuccessUrl;
         Assert.isTrue(UrlUtils.isValidRedirectUrl(logoutSuccessUrl), logoutSuccessUrl + " isn't a valid redirect URL");            
     }    
     
     protected String getFilterProcessesUrl() {
         return filterProcessesUrl;
     }
 
     public void setUseRelativeContext(boolean useRelativeContext) {
         this.useRelativeContext = useRelativeContext;
     }
 
     public int getOrder() {
         return FilterChainOrder.LOGOUT_FILTER;
     }
 
 }

1		/**
2		* Copyright 2010 The Kuali Foundation Licensed under the
3		* Educational Community License, Version 2.0 (the "License"); you may
4		* not use this file except in compliance with the License. You may
5		* obtain a copy of the License at
6		*
7		* http://www.osedu.org/licenses/ECL-2.0
8		*
9		* abUnless required by applicable law or agreed to in writing,
10		* software distributed under the License is distributed on an "AS IS"
11		* BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
12		* or implied. See the License for the specific language governing
13		* permissions and limitations under the License.
14		*/
15
16		package org.kuali.student.security.filter;
17
18		import java.io.IOException;
19
20		import javax.servlet.FilterChain;
21		import javax.servlet.ServletException;
22		import javax.servlet.http.HttpServletRequest;
23		import javax.servlet.http.HttpServletResponse;
24
25		import org.springframework.security.Authentication;
26		import org.springframework.security.context.SecurityContextHolder;
27		import org.springframework.security.ui.FilterChainOrder;
28		import org.springframework.security.ui.SpringSecurityFilter;
29		import org.springframework.security.ui.logout.LogoutHandler;
30		import org.springframework.security.ui.logout.SecurityContextLogoutHandler;
31		import org.springframework.security.util.RedirectUtils;
32		import org.springframework.security.util.UrlUtils;
33		import org.springframework.util.Assert;
34		import org.springframework.util.StringUtils;
35
36		/**
37		* This is a description of what this class does - Rich don't forget to fill this in.
38		*
39		* @author Kuali Rice Team (kuali-rice@googlegroups.com)
40		*
41		*/
42		public class KSLogoutFilter extends SpringSecurityFilter {
43
44	0	private String filterProcessesUrl = "/j_spring_security_logout";
45	0	private String logoutSuccessUrl = "/";
46		private LogoutHandler[] handlers;
47		private boolean useRelativeContext;
48	0	String invalidateSession = "true";
49
50	0	public KSLogoutFilter(){
51	0	handlers = new SecurityContextLogoutHandler[1];
52	0	SecurityContextLogoutHandler sclh = new SecurityContextLogoutHandler();
53	0	if ("true".equals(invalidateSession)) {
54	0	sclh.setInvalidateHttpSession(true);
55		} else {
56	0	sclh.setInvalidateHttpSession(false);
57		}
58	0	handlers[0] = sclh;
59	0	}
60
61	0	public KSLogoutFilter(String logoutSuccessUrl, LogoutHandler[] handlers) {
62	0	Assert.notEmpty(handlers, "LogoutHandlers are required");
63	0	this.logoutSuccessUrl = logoutSuccessUrl;
64	0	Assert.isTrue(UrlUtils.isValidRedirectUrl(logoutSuccessUrl), logoutSuccessUrl + " isn't a valid redirect URL");
65	0	this.handlers = handlers;
66	0	}
67
68		public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException,
69		ServletException {
70
71	0	if (requiresLogout(request, response)) {
72	0	Authentication auth = SecurityContextHolder.getContext().getAuthentication();
73
74	0	if (logger.isDebugEnabled()) {
75	0	logger.debug("Logging out user '" + auth + "' and redirecting to logout page");
76		}
77
78	0	for (int i = 0; i < handlers.length; i++) {
79	0	handlers[i].logout(request, response, auth);
80		}
81
82	0	String targetUrl = determineTargetUrl(request, response);
83
84	0	sendRedirect(request, response, targetUrl);
85
86	0	return;
87		}
88
89	0	chain.doFilter(request, response);
90	0	}
91
92		/**
93		* Allow subclasses to modify when a logout should take place.
94		*
95		* @param request the request
96		* @param response the response
97		*
98		* @return <code>true</code> if logout should occur, <code>false</code> otherwise
99		*/
100		protected boolean requiresLogout(HttpServletRequest request, HttpServletResponse response) {
101	0	String uri = request.getRequestURI();
102	0	int pathParamIndex = uri.indexOf(';');
103
104	0	if (pathParamIndex > 0) {
105		// strip everything from the first semi-colon
106	0	uri = uri.substring(0, pathParamIndex);
107		}
108
109	0	int queryParamIndex = uri.indexOf('?');
110
111	0	if (queryParamIndex > 0) {
112		// strip everything from the first question mark
113	0	uri = uri.substring(0, queryParamIndex);
114		}
115
116	0	if ("".equals(request.getContextPath())) {
117	0	return uri.endsWith(filterProcessesUrl);
118		}
119
120		//return uri.endsWith(request.getContextPath() + filterProcessesUrl);
121
122		// we are setting the logout url j_spring_security_logout in gwt by doing a window assing.url
123		// this does not take context into account. if we can change that then we can go back to the line above
124	0	return uri.endsWith(filterProcessesUrl);
125		}
126
127
128		/**
129		* Returns the target URL to redirect to after logout.
130		* <p>
131		* By default it will check for a <tt>logoutSuccessUrl</tt> parameter in
132		* the request and use this. If that isn't present it will use the configured <tt>logoutSuccessUrl</tt>. If this
133		* hasn't been set it will check the Referer header and use the URL from there.
134		*
135		*/
136		protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response) {
137	0	String targetUrl = request.getParameter("logoutSuccessUrl");
138
139	0	if(!StringUtils.hasLength(targetUrl)) {
140	0	targetUrl = getLogoutSuccessUrl();
141		}
142
143	0	if (!StringUtils.hasLength(targetUrl)) {
144	0	targetUrl = request.getHeader("Referer");
145		}
146
147	0	if (!StringUtils.hasLength(targetUrl)) {
148	0	targetUrl = "/";
149		}
150
151	0	return targetUrl;
152		}
153
154		/**
155		* Allow subclasses to modify the redirection message.
156		*
157		* @param request the request
158		* @param response the response
159		* @param url the URL to redirect to
160		*
161		* @throws IOException in the event of any failure
162		*/
163		protected void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url)
164		throws IOException {
165
166	0	RedirectUtils.sendRedirect(request, response, url, useRelativeContext);
167	0	}
168
169		public void setFilterProcessesUrl(String filterProcessesUrl) {
170	0	Assert.hasText(filterProcessesUrl, "FilterProcessesUrl required");
171	0	Assert.isTrue(UrlUtils.isValidRedirectUrl(filterProcessesUrl), filterProcessesUrl + " isn't a valid redirect URL");
172	0	this.filterProcessesUrl = filterProcessesUrl;
173	0	}
174
175		protected String getLogoutSuccessUrl() {
176	0	return logoutSuccessUrl;
177		}
178
179		public void setLogoutSuccessUrl(String logoutSuccessUrl){
180	0	this.logoutSuccessUrl = logoutSuccessUrl;
181	0	Assert.isTrue(UrlUtils.isValidRedirectUrl(logoutSuccessUrl), logoutSuccessUrl + " isn't a valid redirect URL");
182	0	}
183
184		protected String getFilterProcessesUrl() {
185	0	return filterProcessesUrl;
186		}
187
188		public void setUseRelativeContext(boolean useRelativeContext) {
189	0	this.useRelativeContext = useRelativeContext;
190	0	}
191
192		public int getOrder() {
193	0	return FilterChainOrder.LOGOUT_FILTER;
194		}
195
196		}