Remove Shibboleth (SAML) log in
Tomcat/Apache integration for SAML will populate the ServletRequest#getRemoteUser with an empty string rather than null when not authenticated. This confuses Spring Security to think the user is authenticated but with an empty string as the principal name. This causes problems further down the line in Spring Security since an empty principal is not accepted. To get around this we simply remove the SAML integration and rely solely on OAuth 2.0 for log in. An alternative would be to apply a servlet filter beforehand that would send null if the string is empty. But that has the downside of having different authentication mechanism for production and development. By using only OAuth 2.0 everywhere it works the same, and it is easier to troubleshoot.
This commit is contained in:
parent
615953117d
commit
f6acbd805b
@ -59,7 +59,6 @@ public class WicketConfiguration {
|
|||||||
@Order(3) // make sure it's after the API security filters
|
@Order(3) // make sure it's after the API security filters
|
||||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
|
http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
|
||||||
http.jee(Customizer.withDefaults()); // Shibboleth integration
|
|
||||||
http.oauth2Login(Customizer.withDefaults());
|
http.oauth2Login(Customizer.withDefaults());
|
||||||
http.csrf(csrf -> csrf.disable()); // Wicket has its own CSRF protection
|
http.csrf(csrf -> csrf.disable()); // Wicket has its own CSRF protection
|
||||||
http.logout(logout -> logout
|
http.logout(logout -> logout
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user