[
https://issues.apache.org/jira/browse/FEDIZ-220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16532591#comment-16532591
]
Arnaud MERGEY edited comment on FEDIZ-220 at 7/4/18 10:23 AM:
--------------------------------------------------------------
I have made some tests, when I call [http://host/myapp/?wa=signout1.0] with
SAML protocol, tomcat plugin is sending a SAML logout request to IDP (that
seemed valid, at least with SAMLING)
when I call [http://host/myapp/?wa=wsignoutcleanup1.0], tomcat plugin is doing
a "local" logout (meaning local tomcat session is logged out destroyed,
without sending logout to IDP) but this logout is responding some internal
image after the logout, so I wanted to redirect after local logout, then I
configured like described above and called
[http://host/myapp/?wa=wsignoutcleanup1.0&wreply=/myapp/loggedout.do] that gave
me the error because of the encoding
There were this kind of feature with keycloack tomcat valve (I used before) and
I though calling with ?wa=signout1.0 was the equivalent of keycloack ?GLO=true
for sso logout and wa=wsignoutcleanup1.0 was equivalent for ?LLO=true for local
logout
was I wrong ?
was (Author: amergey):
I have made some tests, when I call http://host/myapp/?wa=signout1.0 with SAML
protocol, tomcat plugin is sending a SAML logout request to IDP (that seemed
valid, at least with SAMLING)
when I call http://host/myapp/?wa=wsignoutcleanup1.0, tomcat plugin is doing a
"local" logout (meaning local tomcat session is logged out destroyed, without
sending logout to IDP) but this logout is responding some internal image after
the logout, so I wanted to redirect after local logout, then I configured like
described above and called
[http://host/myapp/?wa=wsignoutcleanup1.0&wreply=/myapp/loggedout.do]
There were this kind of feature with keycloack tomcat valve (I used before) and
I though calling with ?wa=signout1.0 was the equivalent of keycloack ?GLO=true
for sso logout and wa=wsignoutcleanup1.0 was equivalent for ?LLO=true for local
logout
was I wrong ?
> http 400 when logout with redirect to constraint
> ------------------------------------------------
>
> Key: FEDIZ-220
> URL: https://issues.apache.org/jira/browse/FEDIZ-220
> Project: CXF-Fediz
> Issue Type: Bug
> Components: Plugin
> Affects Versions: 1.4.3
> Reporter: Arnaud MERGEY
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 1.4.5
>
>
> I would like to redirect to a page after logout from a SAML authentication
> with tomcat plugin.
> I have added this in my fediz_config.xml
>
> {code:java}
> <logoutRedirectToConstraint
> type="String">.*logout.do.*</logoutRedirectToConstraint>
> {code}
>
> Then when I logout, instead of being redirected as expected I have an http
> 400 because the redirec url (/mycontext/logout.do?display=2) is url encoded
> and becomes not valid (because of / and ?).
> I looked in the code and it seems to me the issue is here
> org.apache.cxf.fediz.core.handler.LogoutHandler.signoutCleanup(HttpServletRequest
> request, HttpServletResponse response)
> line 114
> {code:java}
> response.sendRedirect(URLEncoder.encode(wreply, "UTF-8"));
> {code}
> should be replaced with
> {code:java}
> response.sendRedirect(response.encodeRedirectURL(wreply);
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
