1. Provide possibility to customize the AuthenticationSuccessHandler
Allow to change the default SavedRequestAwareAuthenticationSuccessHandler(fixes #50)
2. Provide possibility to customize the AuthenticationFailureHandler
Allow to change the default SimpleUrlAuthenticationFailureHandler (fixes #50)
3. Provide possibility to customize the LogoutSuccessHandler
Allow to change the default SimpleUrlLogoutSuccessHandler
4. Provide the ApplicationEventPublisher in order to publish Authenitcation Events
Set a ApplicationEventPublisherin the SAMLProcessingFilter in order to publish an InteractiveAuthenticationSuccessEvent (fixes #36)
Set a AuthenticationEventPublisher to the AuthenticationManager (aka the ProviderManager) in order to publish AuthenticationSuccess and AuthenticationFailure events. Usefull if spring-boot-actuator is on the classpath with AuditEvents beeing enabled (see: org.springframework.boot.actuate.security.AuthenticationAuditListener.java) (fixes #50)
5. Provide a possibility to set a custom EntryPoint for XMLHttpRequest
Nowdays many applications are using Javascript to comunicate with the backend. If the session has expired or hasn't been created yet it doesn't make sense to return them a 302 to the idp-login page since javascript doesn't have a chance to detect that and receives the HTML-login page. Provide a mechanism to return a different result if we detect that it was a javascript triggered HTTP-Request. Most javascript-frameworks send the header flag: X-Requested-With: XMLHttpRequest to detect that. (see: https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). Similar how it is done in org.springframework.security.config.annotation.web.configurers.HttpBasicConfigurer.java
6. Provide a way to customize the RequestedAuthnContexts
We need to be able to customize the WebSSOProfileOptions to set the authnContexts so that the SP can control the authentication mechanism.
7. Provide a way to exclude the credentials from being stored in SAMLAuthenticationProvider
When false (default) the resulting Authentication object will include instance of SAMLCredential as a credential value. Setting this value to true can be very useful if someone serializes the session to redis (using spring-session) since the xml-elements of the assertion can't be serialized. (fixes #42 )
8. SingleLogout and CSRF Problem
Currently the AntPathRequestMatcher only considers the 'SSO' saml assertion consumer but not the 'SingleLogout" endpoint. Thus a HTTP-Post is rejected if CSRF is enabled
I'll be working on a PR that fixes the mentioned issues
1. Provide possibility to customize the AuthenticationSuccessHandler Allow to change the default
SavedRequestAwareAuthenticationSuccessHandler(fixes #50)2. Provide possibility to customize the AuthenticationFailureHandler Allow to change the default
SimpleUrlAuthenticationFailureHandler(fixes #50)3. Provide possibility to customize the LogoutSuccessHandler Allow to change the default
SimpleUrlLogoutSuccessHandler4. Provide the ApplicationEventPublisher in order to publish Authenitcation Events
Set a
ApplicationEventPublisherin theSAMLProcessingFilterin order to publish anInteractiveAuthenticationSuccessEvent(fixes #36)Set a
AuthenticationEventPublisherto theAuthenticationManager(aka theProviderManager) in order to publish AuthenticationSuccess and AuthenticationFailure events. Usefull if spring-boot-actuator is on the classpath with AuditEvents beeing enabled (see:org.springframework.boot.actuate.security.AuthenticationAuditListener.java) (fixes #50)5. Provide a possibility to set a custom EntryPoint for XMLHttpRequest Nowdays many applications are using Javascript to comunicate with the backend. If the session has expired or hasn't been created yet it doesn't make sense to return them a 302 to the idp-login page since javascript doesn't have a chance to detect that and receives the HTML-login page. Provide a mechanism to return a different result if we detect that it was a javascript triggered HTTP-Request. Most javascript-frameworks send the header flag:
X-Requested-With: XMLHttpRequestto detect that. (see: https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). Similar how it is done inorg.springframework.security.config.annotation.web.configurers.HttpBasicConfigurer.java6. Provide a way to customize the RequestedAuthnContexts We need to be able to customize the
WebSSOProfileOptionsto set theauthnContextsso that the SP can control the authentication mechanism.7. Provide a way to exclude the credentials from being stored in
SAMLAuthenticationProviderWhen false (default) the resulting Authentication object will include instance of SAMLCredential as a credential value. Setting this value to true can be very useful if someone serializes the session to redis (using spring-session) since the xml-elements of the assertion can't be serialized. (fixes #42 )8. SingleLogout and CSRF Problem Currently the AntPathRequestMatcher only considers the 'SSO' saml assertion consumer but not the 'SingleLogout" endpoint. Thus a HTTP-Post is rejected if CSRF is enabled
I'll be working on a PR that fixes the mentioned issues