From f6acbd805b5df396ecdd0d2da85e45c8aa8df73f Mon Sep 17 00:00:00 2001
From: Andreas Svanberg <andreass@dsv.su.se>
Date: Thu, 21 Nov 2024 13:07:25 +0100
Subject: [PATCH] Remove Shibboleth (SAML) log in

Tomcat/Apache integration for SAML will populate the ServletRequest#getRemoteUser with an empty string rather than null when not authenticated. This confuses Spring Security to think the user is authenticated but with an empty string as the principal name. This causes problems further down the line in Spring Security since an empty principal is not accepted.

To get around this we simply remove the SAML integration and rely solely on OAuth 2.0 for log in. An alternative would be to apply a servlet filter beforehand that would send null if the string is empty. But that has the downside of having different authentication mechanism for production and development. By using only OAuth 2.0 everywhere it works the same, and it is easier to troubleshoot.
---
 war/src/main/java/se/su/dsv/scipro/war/WicketConfiguration.java | 1 -
 1 file changed, 1 deletion(-)

diff --git a/war/src/main/java/se/su/dsv/scipro/war/WicketConfiguration.java b/war/src/main/java/se/su/dsv/scipro/war/WicketConfiguration.java
index bd9b3d02f7..6e08db02a8 100644
--- a/war/src/main/java/se/su/dsv/scipro/war/WicketConfiguration.java
+++ b/war/src/main/java/se/su/dsv/scipro/war/WicketConfiguration.java
@@ -59,7 +59,6 @@ public class WicketConfiguration {
     @Order(3) // make sure it's after the API security filters
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
-        http.jee(Customizer.withDefaults()); // Shibboleth integration
         http.oauth2Login(Customizer.withDefaults());
         http.csrf(csrf -> csrf.disable()); // Wicket has its own CSRF protection
         http.logout(logout -> logout