Merge pull request apereo#239 from mattdrees/issue-210-preserve-entit…

…y-stream-for-non-logout-requests

Add option to prevent entity stream consumption

README.md

@@ -665,6 +665,7 @@ The `SingleSignOutFilter` can affect character encoding. This becomes most obvio
 | `relayStateParameterName` | Defaults to `RelayState` | No
 | `eagerlyCreateSessions` | Defaults to `true` | No
 | `artifactParameterOverPost` | Defaults to  `false` | No
+| `logoutCallbackPath` | The path which is expected to receive logout callback requests from the CAS server. This is necessary if your app needs access to the raw input stream when handling form posts. If not configured, the default behavior will check every form post for a logout parameter. | No
 | `casServerUrlPrefix` | URL to root of CAS Web application context. | Yes
 
 <a name="cas-protocol"></a>

cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKeys.java

@@ -78,4 +78,5 @@ public interface ConfigurationKeys {
     ConfigurationKey<Class<? extends Cas20ServiceTicketValidator>> TICKET_VALIDATOR_CLASS = new ConfigurationKey<Class<? extends Cas20ServiceTicketValidator>>("ticketValidatorClass", null);
     ConfigurationKey<String> PROXY_CALLBACK_URL = new ConfigurationKey<String>("proxyCallbackUrl", null);
     ConfigurationKey<String> RELAY_STATE_PARAMETER_NAME = new ConfigurationKey<String>("relayStateParameterName", "RelayState");
+    ConfigurationKey<String> LOGOUT_CALLBACK_PATH = new ConfigurationKey<String>("logoutCallbackPath", null);
 }

cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java

@@ -48,6 +48,7 @@ public void init(final FilterConfig filterConfig) throws ServletException {
             setLogoutParameterName(getString(ConfigurationKeys.LOGOUT_PARAMETER_NAME));
             setRelayStateParameterName(getString(ConfigurationKeys.RELAY_STATE_PARAMETER_NAME));
             setCasServerUrlPrefix(getString(ConfigurationKeys.CAS_SERVER_URL_PREFIX));
+            setLogoutCallbackPath(getString(ConfigurationKeys.LOGOUT_CALLBACK_PATH));
             HANDLER.setArtifactParameterOverPost(getBoolean(ConfigurationKeys.ARTIFACT_PARAMETER_OVER_POST));
             HANDLER.setEagerlyCreateSessions(getBoolean(ConfigurationKeys.EAGERLY_CREATE_SESSIONS));
         }
@@ -71,6 +72,10 @@ public void setCasServerUrlPrefix(final String casServerUrlPrefix) {
         HANDLER.setCasServerUrlPrefix(casServerUrlPrefix);
     }
 
+    public void setLogoutCallbackPath(String logoutCallbackPath) {
+        HANDLER.setLogoutCallbackPath(logoutCallbackPath);
+    }
+
     public void setSessionMappingStorage(final SessionMappingStorage storage) {
         HANDLER.setSessionMappingStorage(storage);
     }

cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java

@@ -66,6 +66,9 @@ public final class SingleSignOutHandler {
     /** The prefix url of the CAS server */
     private String casServerUrlPrefix = "";
 
+    /** The logout callback path configured at the CAS server, if there is one */
+    private String logoutCallbackPath;
+
     private boolean artifactParameterOverPost = false;
 
     private boolean eagerlyCreateSessions = true;
@@ -106,7 +109,14 @@ public void setLogoutParameterName(final String name) {
     public void setCasServerUrlPrefix(final String casServerUrlPrefix) {
         this.casServerUrlPrefix = casServerUrlPrefix;
     }
-
+
+    /**
+     * @param logoutCallbackPath The logout callback path configured at the CAS server.
+     */
+    public void setLogoutCallbackPath(String logoutCallbackPath) {
+        this.logoutCallbackPath = logoutCallbackPath;
+    }
+
     /**
      * @param name Name of parameter containing the state of the CAS server webflow.
      */
@@ -163,6 +173,7 @@ private boolean isTokenRequest(final HttpServletRequest request) {
     private boolean isLogoutRequest(final HttpServletRequest request) {
         if ("POST".equalsIgnoreCase(request.getMethod())) {
             return !isMultipartRequest(request)
+                    && pathEligibleForLogout(request)
                     && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName,
                     this.safeParameters));
         }
@@ -172,7 +183,15 @@ private boolean isLogoutRequest(final HttpServletRequest request) {
         }
         return false;
     }
-
+
+    private boolean pathEligibleForLogout(HttpServletRequest request) {
+        return logoutCallbackPath == null || logoutCallbackPath.equals(getPath(request));
+    }
+
+    private String getPath(HttpServletRequest request) {
+        return request.getServletPath() + CommonUtils.nullToEmpty(request.getPathInfo());
+    }
+
     /**
      * Process a request regarding the SLO process: record the session or destroy it.
      *

cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java

@@ -719,6 +719,17 @@ public static int toInt(final String str, final int defaultValue) {
         }
     }
 
+    /**
+     * Returns the string as-is, unless it's <code>null</code>;
+     * in this case an empty string is returned.
+     *
+     * @param string a possibly <code>null</code> string
+     * @return a non-<code>null</code> string
+     */
+    public static String nullToEmpty(String string) {
+        return string == null ? "" : string;
+    }
+
     /**
      * Adds a trailing slash to the given uri, if it doesn't already have one.
      *

cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutHandlerTests.java

@@ -116,13 +116,36 @@ public void backChannelLogoutFailsIfNoSessionIndex() {
 
     @Test
     public void backChannelLogoutOK() {
+        final MockHttpSession session = doBackChannelLogout();
+        assertFalse(handler.process(request, response));
+        assertTrue(session.isInvalid());
+    }
+
+    @Test
+    public void backChannelLogoutDoesNotRunIfPathIsNotEligibleForLogout() {
+        handler.setLogoutCallbackPath("/logout");
+        request.setServletPath("/not-a-logout");
+        final MockHttpSession session = doBackChannelLogout();
+        assertTrue(handler.process(request, response));
+        assertFalse(session.isInvalid());
+    }
+
+    @Test
+    public void backChannelLogoutRunsIfPathEqualsLogoutPath() {
+        handler.setLogoutCallbackPath("/logout");
+        request.setServletPath("/logout");
+        final MockHttpSession session = doBackChannelLogout();
+        assertFalse(handler.process(request, response));
+        assertTrue(session.isInvalid());
+    }
+
+    private MockHttpSession doBackChannelLogout() {
         final String logoutMessage = LogoutMessageGenerator.generateBackChannelLogoutMessage(TICKET);
         request.setParameter(LOGOUT_PARAMETER_NAME, logoutMessage);
         request.setMethod("POST");
         final MockHttpSession session = new MockHttpSession();
         handler.getSessionMappingStorage().addSessionById(TICKET, session);
-        assertFalse(handler.process(request, response));
-        assertTrue(session.isInvalid());
+        return session;
     }
 
     @Test

cas-client-integration-tomcat-v6/src/main/java/org/jasig/cas/client/tomcat/v6/SingleSignOutValve.java

@@ -60,6 +60,10 @@ public void setCasServerUrlPrefix(final String casServerUrlPrefix) {
         this.handler.setCasServerUrlPrefix(casServerUrlPrefix);
     }
 
+    public void setLogoutCallbackPath(String logoutCallbackPath) {
+        this.handler.setLogoutCallbackPath(logoutCallbackPath);
+    }
+
     public void setSessionMappingStorage(final SessionMappingStorage storage) {
         this.handler.setSessionMappingStorage(storage);
     }

cas-client-integration-tomcat-v7/src/main/java/org/jasig/cas/client/tomcat/v7/SingleSignOutValve.java

@@ -64,6 +64,10 @@ public void setCasServerUrlPrefix(final String casServerUrlPrefix) {
         this.handler.setCasServerUrlPrefix(casServerUrlPrefix);
     }
 
+    public void setLogoutCallbackPath(String logoutCallbackPath) {
+        this.handler.setLogoutCallbackPath(logoutCallbackPath);
+    }
+
     public void setSessionMappingStorage(final SessionMappingStorage storage) {
         this.handler.setSessionMappingStorage(storage);
     }

cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/SingleSignOutValve.java

@@ -64,6 +64,10 @@ public void setCasServerUrlPrefix(final String casServerUrlPrefix) {
         this.handler.setCasServerUrlPrefix(casServerUrlPrefix);
     }
 
+    public void setLogoutCallbackPath(String logoutCallbackPath) {
+        this.handler.setLogoutCallbackPath(logoutCallbackPath);
+    }
+
     public void setSessionMappingStorage(final SessionMappingStorage storage) {
         this.handler.setSessionMappingStorage(storage);
     }

cas-client-integration-tomcat-v85/src/main/java/org/jasig/cas/client/tomcat/v85/SingleSignOutValve.java

@@ -64,6 +64,10 @@ public void setCasServerUrlPrefix(final String casServerUrlPrefix) {
         this.handler.setCasServerUrlPrefix(casServerUrlPrefix);
     }
 
+    public void setLogoutCallbackPath(String logoutCallbackPath) {
+        this.handler.setLogoutCallbackPath(logoutCallbackPath);
+    }
+
     public void setSessionMappingStorage(final SessionMappingStorage storage) {
         this.handler.setSessionMappingStorage(storage);
     }