feat: enhance SAML2 login handling by validating user existence and roles

mjabascal10 · mjabascal10 · commit 4e79aa9f0dba · 2025-12-18T17:39:22.000-06:00
diff --git a/backend/src/main/java/com/park/utmstack/security/saml/Saml2LoginSuccessHandler.java b/backend/src/main/java/com/park/utmstack/security/saml/Saml2LoginSuccessHandler.java
@@ -1,5 +1,6 @@
 package com.park.utmstack.security.saml;
 
+import com.park.utmstack.domain.User;
 import com.park.utmstack.repository.UserRepository;
 import com.park.utmstack.security.jwt.TokenProvider;
 import lombok.RequiredArgsConstructor;
@@ -21,6 +22,7 @@
 import java.net.URI;
 import java.util.Collection;
 import java.util.Objects;
+import java.util.Optional;
 
 import static com.park.utmstack.config.Constants.FRONT_BASE_URL;
 
@@ -50,33 +52,25 @@ public void onAuthenticationSuccess(HttpServletRequest request,
         String frontBaseUrl = scheme + "://" + host;
 
         Saml2AuthenticatedPrincipal samlUser = (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
-        var roles = samlUser.getAttribute("roles");
-
         String username = samlUser.getName();
 
-        if (roles == null || ((Collection<?>) roles).isEmpty() || userRepository.findOneByLogin(username).isEmpty()) {
-            log.error("{}: Attempted SAML2 login with invalid roles or non-existing user account.", username);
-            failureHandler.onAuthenticationFailure(request, response,
-                    new BadCredentialsException("The provided credentials do not match any active user account or the account lacks required roles."));
-            return;
-        }
+        User user = userRepository.findOneByLogin(username)
+                .orElseThrow(() -> new BadCredentialsException("The provided credentials do not match any active user account."));
 
-        Collection<? extends GrantedAuthority> authorities = Objects.requireNonNull(samlUser.getAttribute("roles"))
+        Collection<? extends GrantedAuthority> authorities = Objects.requireNonNull(user.getAuthorities())
                 .stream()
                 .map(Objects::toString)
                 .filter(r -> r.startsWith("ROLE_"))
                 .map(SimpleGrantedAuthority::new)
                 .toList();
 
         UsernamePasswordAuthenticationToken auth =
-                new UsernamePasswordAuthenticationToken(username, null, authorities);
+                new UsernamePasswordAuthenticationToken((Object) username, null, authorities);
 
         SecurityContextHolder.getContext().setAuthentication(auth);
 
-        // Generate JWT
         String token = tokenProvider.createToken(auth, false, true);
 
-        // Redirect to frontend with token
         URI redirectUri = UriComponentsBuilder.fromUriString(frontBaseUrl)
                 .path("/")
                 .queryParam("token", token)
