UY-1502: fix auto proxy login functionality

rkrysinski · rkrysinski · commit 2944be02504e · 2025-02-02T17:11:48.000+01:00
diff --git a/oauth/src/main/java/pl/edu/icm/unity/oauth/as/webauthz/ASConsentDeciderServlet.java b/oauth/src/main/java/pl/edu/icm/unity/oauth/as/webauthz/ASConsentDeciderServlet.java
@@ -7,8 +7,12 @@
 import static io.imunity.vaadin.endpoint.common.consent_utils.LoginInProgressService.noSignInContextException;
 
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.Collection;
+import java.util.List;
+import java.util.Map;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
 import org.apache.logging.log4j.Logger;
 import org.eclipse.jetty.ee10.servlet.ServletApiRequest;
@@ -22,6 +26,7 @@
 import com.nimbusds.openid.connect.sdk.OIDCError;
 
 import io.imunity.vaadin.endpoint.common.EopException;
+import io.imunity.vaadin.endpoint.common.QueryBuilder;
 import io.imunity.vaadin.endpoint.common.consent_utils.LoginInProgressService;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServlet;
@@ -151,10 +156,12 @@ private void sendRedirect(HttpServletRequest req, HttpServletResponse resp) thro
 	
 	private String getQueryToAppend(HttpServletRequest req)
 	{
-		String signInContextKey = req.getParameter(OAuthSessionService.URL_PARAM_CONTEXT_KEY);
-		return signInContextKey == null 
-				? "" 
-				: "?" + OAuthSessionService.URL_PARAM_CONTEXT_KEY + "=" + signInContextKey;
+		Map<String, List<String>> urlParameters = req.getParameterMap().entrySet().stream()
+			.collect(Collectors.toMap(
+				Map.Entry::getKey,
+				entry -> Arrays.asList(entry.getValue())
+			));
+		return QueryBuilder.buildQuery(urlParameters);
 	}
 	
 	private void sendNonePromptError(OAuthAuthzContext oauthCtx, HttpServletRequest req, HttpServletResponse resp)
diff --git a/oauth/src/main/java/pl/edu/icm/unity/oauth/as/webauthz/OAuthAuthzWebEndpoint.java b/oauth/src/main/java/pl/edu/icm/unity/oauth/as/webauthz/OAuthAuthzWebEndpoint.java
@@ -22,7 +22,6 @@
 
 import com.nimbusds.oauth2.sdk.AuthorizationErrorResponse;
 import com.nimbusds.oauth2.sdk.SerializeException;
-import com.nimbusds.oauth2.sdk.id.State;
 import com.nimbusds.openid.connect.sdk.OIDCError;
 
 import eu.unicore.util.configuration.ConfigurationException;
@@ -164,8 +163,8 @@ protected ServletContextHandler getServletContextHandlerOverridable(WebAppContex
 
 		Servlet oauthParseServlet = new OAuthParseServlet(oauthProperties, getServletUrl(OAUTH_CONSENT_DECIDER_SERVLET_PATH),
 				new ErrorHandler(freemarkerHandler), identitiesManagement, attributesManagement, scopeService, serverConfig);
-		ServletHolder samlParseHolder = createServletHolder(oauthParseServlet);
-		servletContextHandler.addServlet(samlParseHolder, OAUTH_CONSUMER_SERVLET_PATH + "/*");
+		ServletHolder oauthParseHolder = createServletHolder(oauthParseServlet);
+		servletContextHandler.addServlet(oauthParseHolder, OAUTH_CONSUMER_SERVLET_PATH + "/*");
 
 		SessionManagement sessionMan = applicationContext.getBean(SessionManagement.class);
 		LoginToHttpSessionBinder sessionBinder = applicationContext.getBean(LoginToHttpSessionBinder.class);
@@ -190,7 +189,7 @@ protected ServletContextHandler getServletContextHandlerOverridable(WebAppContex
 		proxyAuthnFilter = new ProxyAuthenticationFilter(authenticationFlows,
 				description.getEndpoint().getContextAddress(),
 				genericEndpointProperties.getBooleanValue(VaadinEndpointProperties.AUTO_LOGIN), description.getRealm());
-		servletContextHandler.addFilter(new FilterHolder(proxyAuthnFilter), AUTHENTICATION_PATH + "/*",
+		servletContextHandler.addFilter(new FilterHolder(proxyAuthnFilter), OAUTH_UI_SERVLET_PATH + "/*",
 				EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD));
 
 		contextSetupFilter = new InvocationContextSetupFilter(config, description.getRealm(), null,
diff --git a/oauth/src/main/java/pl/edu/icm/unity/oauth/as/webauthz/OAuthParseServlet.java b/oauth/src/main/java/pl/edu/icm/unity/oauth/as/webauthz/OAuthParseServlet.java
@@ -5,20 +5,17 @@
 package pl.edu.icm.unity.oauth.as.webauthz;
 
 import java.io.IOException;
-import java.net.URISyntaxException;
 import java.nio.charset.StandardCharsets;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Map.Entry;
 import java.util.Optional;
 import java.util.Set;
 import java.util.StringTokenizer;
 import java.util.stream.Collectors;
 
 import org.apache.commons.codec.binary.Base64;
-import org.apache.hc.core5.net.URIBuilder;
 import org.apache.logging.log4j.Logger;
 
 import com.google.common.collect.Sets;
@@ -37,6 +34,7 @@
 
 import io.imunity.vaadin.endpoint.common.EopException;
 import io.imunity.vaadin.endpoint.common.LanguageCookie;
+import io.imunity.vaadin.endpoint.common.QueryBuilder;
 import io.imunity.vaadin.endpoint.common.consent_utils.LoginInProgressService;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServlet;
@@ -279,37 +277,15 @@ private AuthenticationPolicy mapPromptToAuthenticationPolicy(Set<Prompt> prompts
 
 		return AuthenticationPolicy.DEFAULT;
 	}
-
 	/**
-	 * We are passing all unknown to OAuth query parameters to downstream servlet.
-	 * This may help to build extended UIs, which can interpret those parameters.
-	 */
+	* We are passing all unknown to OAuth query parameters to downstream servlet.
+	* This may help to build extended UIs, which can interpret those parameters.
+	*/
 	private String getQueryToAppend(AuthorizationRequest authzRequest, LoginInProgressService.SignInContextKey contextKey)
 	{
-		Map<String, List<String>> customParameters = authzRequest.getCustomParameters();
-		URIBuilder b = new URIBuilder();
-		for (Entry<String, List<String>> entry : customParameters.entrySet())
-		{
-			for (String value : entry.getValue())
-			{
-				b.addParameter(entry.getKey(), value);
-			}
-		}
-		if (!LoginInProgressService.UrlParamSignInContextKey.DEFAULT.equals(contextKey))
-		{
-			b.addParameter(OAuthSessionService.URL_PARAM_CONTEXT_KEY, contextKey.getKey());
-		}
-		String query = null;
-		try
-		{
-			query = b.build().getRawQuery();
-		} catch (URISyntaxException e)
-		{
-			log.error("Can't re-encode URL query params, shouldn't happen", e);
-		}
-		return query == null ? "" : "?" + query;
+		return QueryBuilder.buildQuery(authzRequest.getCustomParameters(), contextKey.getKey());
 	}
-	
+
 	private class ParsedRequestParametersWithUILocales
 	{
 		final Map<String, List<String>> parsedRequestParameters;
diff --git a/saml/src/main/java/pl/edu/icm/unity/saml/idp/web/SamlAuthVaadinEndpoint.java b/saml/src/main/java/pl/edu/icm/unity/saml/idp/web/SamlAuthVaadinEndpoint.java
@@ -278,7 +278,7 @@ protected ServletContextHandler getServletContextHandlerOverridable(WebAppContex
 				description.getEndpoint().getContextAddress(),
 				genericEndpointProperties.getBooleanValue(VaadinEndpointProperties.AUTO_LOGIN),
 				description.getRealm());
-		servletContextHandler.addFilter(new FilterHolder(proxyAuthnFilter), AUTHENTICATION_PATH + "/*",
+		servletContextHandler.addFilter(new FilterHolder(proxyAuthnFilter), SAML_UI_SERVLET_PATH + "/*",
 				EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD));
 
 		contextSetupFilter = new InvocationContextSetupFilter(config, description.getRealm(),
diff --git a/saml/src/main/java/pl/edu/icm/unity/saml/idp/web/filter/IdpConsentDeciderServlet.java b/saml/src/main/java/pl/edu/icm/unity/saml/idp/web/filter/IdpConsentDeciderServlet.java
@@ -6,12 +6,15 @@
 
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Calendar;
 import java.util.Collection;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.TimeZone;
+import java.util.stream.Collectors;
 
 import org.apache.logging.log4j.Logger;
 import org.eclipse.jetty.ee10.servlet.ServletApiRequest;
@@ -27,6 +30,7 @@
 import eu.unicore.security.dsig.DSigException;
 import io.imunity.idp.LastIdPClinetAccessAttributeManagement;
 import io.imunity.vaadin.endpoint.common.EopException;
+import io.imunity.vaadin.endpoint.common.QueryBuilder;
 import io.imunity.vaadin.endpoint.common.consent_utils.LoginInProgressService;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServlet;
@@ -197,10 +201,12 @@ private void sendRedirect(HttpServletRequest req, HttpServletResponse resp) thro
 	
 	private String getQueryToAppend(HttpServletRequest req)
 	{
-		String signInContextKey = req.getParameter(SamlSessionService.URL_PARAM_CONTEXT_KEY);
-		return signInContextKey == null 
-				? "" 
-				: "?" + SamlSessionService.URL_PARAM_CONTEXT_KEY + "=" + signInContextKey;
+		Map<String, List<String>> urlParameters = req.getParameterMap().entrySet().stream()
+			.collect(Collectors.toMap(
+				Map.Entry::getKey,
+				entry -> Arrays.asList(entry.getValue())
+			));
+		return QueryBuilder.buildQuery(urlParameters);
 	}
 	
 	protected SPSettings loadPreferences(SAMLAuthnContext samlCtx) throws EngineException
diff --git a/vaadin-authentication/src/main/java/io/imunity/vaadin/auth/server/ProxyAuthenticationFilter.java b/vaadin-authentication/src/main/java/io/imunity/vaadin/auth/server/ProxyAuthenticationFilter.java
@@ -4,10 +4,29 @@
  */
 package io.imunity.vaadin.auth.server;
 
-import io.imunity.vaadin.auth.PreferredAuthenticationHelper;
-import io.imunity.vaadin.auth.ProxyAuthenticationCapable;
+import static io.imunity.vaadin.auth.server.AuthenticationFilter.isVaadinBackgroundRequest;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
 import org.apache.hc.core5.net.URIBuilder;
 import org.apache.logging.log4j.Logger;
+
+import io.imunity.vaadin.auth.PreferredAuthenticationHelper;
+import io.imunity.vaadin.auth.ProxyAuthenticationCapable;
+import jakarta.servlet.DispatcherType;
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.FilterConfig;
+import jakarta.servlet.RequestDispatcher;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpSession;
 import pl.edu.icm.unity.base.authn.AuthenticationOptionKeyUtils;
 import pl.edu.icm.unity.base.authn.AuthenticationRealm;
 import pl.edu.icm.unity.base.utils.Log;
@@ -17,17 +36,6 @@
 import pl.edu.icm.unity.engine.api.authn.AuthenticatorStepContext.FactorOrder;
 import pl.edu.icm.unity.engine.api.endpoint.BindingAuthn;
 
-import jakarta.servlet.*;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
-import jakarta.servlet.http.HttpSession;
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import static io.imunity.vaadin.auth.server.AuthenticationFilter.isVaadinBackgroundRequest;
-
 /**
  * Non UI code which is invoked as a part of authentication pipeline for unauthenticated clients.
  * This filter checks whether automated proxy authentication is enabled for the protected endpoint
@@ -94,14 +102,33 @@ private static String filteredQuery(HttpServletRequest httpRequest)
 	}
 	
 	public static String getCurrentRelativeURL(HttpServletRequest httpRequest)
+	{
+		DispatcherType dispatcherType = httpRequest.getDispatcherType();
+		return switch (dispatcherType)
+		{
+			case FORWARD -> forwardBasedRelativeURL(httpRequest);
+			case REQUEST -> requestBasedRelativeURL(httpRequest);
+			default -> throw new IllegalStateException("Unexpected dispatcher type: " + dispatcherType);
+		};
+	}
+
+	private static String requestBasedRelativeURL(HttpServletRequest httpRequest)
+	{
+		String relativeUrl = httpRequest.getRequestURI().substring(httpRequest.getContextPath().length());
+		String query = httpRequest.getQueryString() == null ? "" :
+			ProxyAuthenticationFilter.filteredQuery(httpRequest);
+		return relativeUrl + query;
+	}
+
+	private static String forwardBasedRelativeURL(HttpServletRequest httpRequest)
 	{
 		String origReqUri = (String)httpRequest.getAttribute(RequestDispatcher.FORWARD_REQUEST_URI);
 		String servletPath = origReqUri == null ? "/" : origReqUri;
-		String query = httpRequest.getQueryString() == null ? "" : 
+		String query = httpRequest.getQueryString() == null ? "" :
 			ProxyAuthenticationFilter.filteredQuery(httpRequest);
 		return servletPath + query;
 	}
-	
+
 	@Override
 	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
 			throws IOException, ServletException
diff --git a/vaadin-authentication/src/main/java/io/imunity/vaadin/auth/server/SecureVaadin2XEndpoint.java b/vaadin-authentication/src/main/java/io/imunity/vaadin/auth/server/SecureVaadin2XEndpoint.java
@@ -85,10 +85,8 @@ protected ServletContextHandler getServletContextHandlerOverridable(WebAppContex
 			description.getEndpoint().getContextAddress(),
 			genericEndpointProperties.getBooleanValue(VaadinEndpointProperties.AUTO_LOGIN),
 			description.getRealm());
-		servletContextHandler.addFilter(new FilterHolder(proxyAuthnFilter), "/",
+		servletContextHandler.addFilter(new FilterHolder(proxyAuthnFilter), "/*",
 			EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD));
-//		servletContextHandler.addFilter(new FilterHolder(proxyAuthnFilter), AUTHENTICATION_PATH + "/*",
-//				EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD));
 
 		contextSetupFilter = new InvocationContextSetupFilter(serverConfig, description.getRealm(),
 			getServletUrl(uiServletPath), getAuthenticationFlows());
diff --git a/vaadin-authentication/src/test/java/io/imunity/vaadin/auth/server/ProxyAuthenticationFilterTest.java b/vaadin-authentication/src/test/java/io/imunity/vaadin/auth/server/ProxyAuthenticationFilterTest.java
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2025 Bixbit - Krzysztof Benedyczak. All rights reserved.
+ * See LICENCE.txt file for licensing information.
+ */
+
+package io.imunity.vaadin.auth.server;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.Mockito.when;
+
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import jakarta.servlet.DispatcherType;
+import jakarta.servlet.RequestDispatcher;
+import jakarta.servlet.http.HttpServletRequest;
+
+@ExtendWith(MockitoExtension.class)
+class ProxyAuthenticationFilterTest
+{
+	@Mock
+	private HttpServletRequest request;
+
+	@Test
+	void shouldHandleForwardDispatcherType()
+	{
+		when(request.getDispatcherType()).thenReturn(DispatcherType.FORWARD);
+		when(request.getAttribute(RequestDispatcher.FORWARD_REQUEST_URI)).thenReturn("/test/path");
+		when(request.getQueryString()).thenReturn("param1=value1");
+		when(request.getParameterMap()).thenReturn(Map.of("param1", new String[]{"value1"}));
+
+		String result = ProxyAuthenticationFilter.getCurrentRelativeURL(request);
+
+		assertEquals("/test/path?param1=value1", result);
+	}
+
+	@Test
+	void shouldHandleRequestDispatcherType()
+	{
+		when(request.getDispatcherType()).thenReturn(DispatcherType.REQUEST);
+		when(request.getRequestURI()).thenReturn("/context/test/path");
+		when(request.getContextPath()).thenReturn("/context");
+		when(request.getQueryString()).thenReturn("param1=value1");
+		when(request.getParameterMap()).thenReturn(Map.of("param1", new String[]{"value1"}));
+
+		String result = ProxyAuthenticationFilter.getCurrentRelativeURL(request);
+
+		assertEquals("/test/path?param1=value1", result);
+	}
+
+	@Test
+	void shouldHandleNullQueryString()
+	{
+		when(request.getDispatcherType()).thenReturn(DispatcherType.REQUEST);
+		when(request.getRequestURI()).thenReturn("/context/test/path");
+		when(request.getContextPath()).thenReturn("/context");
+		when(request.getQueryString()).thenReturn(null);
+
+		String result = ProxyAuthenticationFilter.getCurrentRelativeURL(request);
+
+		assertEquals("/test/path", result);
+	}
+
+	@Test
+	void shouldThrowExceptionForUnsupportedDispatcherType()
+	{
+		when(request.getDispatcherType()).thenReturn(DispatcherType.INCLUDE);
+
+		assertThrows(IllegalStateException.class,
+			() -> ProxyAuthenticationFilter.getCurrentRelativeURL(request));
+	}
+
+	@Test
+	void shouldHandleNullForwardRequestUri()
+	{
+		when(request.getDispatcherType()).thenReturn(DispatcherType.FORWARD);
+		when(request.getAttribute(RequestDispatcher.FORWARD_REQUEST_URI)).thenReturn(null);
+		when(request.getQueryString()).thenReturn(null);
+
+		String result = ProxyAuthenticationFilter.getCurrentRelativeURL(request);
+
+		assertEquals("/", result);
+	}
+}
diff --git a/vaadin-endpoint-common/src/main/java/io/imunity/vaadin/endpoint/common/QueryBuilder.java b/vaadin-endpoint-common/src/main/java/io/imunity/vaadin/endpoint/common/QueryBuilder.java
diff --git a/vaadin-endpoint-common/src/test/java/io/imunity/vaadin/endpoint/common/QueryBuilderTest.java b/vaadin-endpoint-common/src/test/java/io/imunity/vaadin/endpoint/common/QueryBuilderTest.java
