DDF-3921 Minor CAS updates (#3356)

* DDF-3921 Minor CAS updates
codice · Jul 5, 2018 · 531308c · 531308c
1 parent a2f6e14
commit 531308c
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/...curity-cas-client/src/main/java/org/codice/ddf/security/handler/cas/CasLogoutService.java b/...curity-cas-client/src/main/java/org/codice/ddf/security/handler/cas/CasLogoutService.java
@@ -27,6 +27,7 @@
 import javax.ws.rs.core.UriBuilder;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.util.ThreadContext;
+import org.codice.ddf.configuration.PropertyResolver;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -74,7 +75,8 @@ public void sendLogoutRequest(
   }
 
   public void setCasServerLogoutUrl(String url) {
-    this.casServerLogoutUrl = url;
+    PropertyResolver resolver = new PropertyResolver(url);
+    this.casServerLogoutUrl = resolver.getResolvedString();
   }
 
   public String getCasServerLogoutUrl() {

diff --git a/...orm/security/cas/security-cas-client/src/main/resources/OSGI-INF/blueprint/casfilters.xml b/...orm/security/cas/security-cas-client/src/main/resources/OSGI-INF/blueprint/casfilters.xml
@@ -44,6 +44,12 @@
         <property name="proxyReceptorUrl" value="/sso"/>
         <property name="proxyGrantingTicketStorage" ref="proxyStorage"/>
         <property name="redirectAfterValidation" value="true"/>
+        <!--
+        If true, the CAS client will include the user's session id in the service URL after
+        authentication. This can cause unintended sharing of session ids (via link sharing,
+        browser history, etc.) so should be disabled.
+        -->
+        <property name="encodeServiceUrl" value="false"/>
     </bean>
 
     <bean id="cas20ServiceTicketValidator"
@@ -92,7 +98,7 @@
         <cm:managed-properties persistent-id="ddf.security.cas"
                                update-strategy="container-managed"/>
         <property name="casServerLogoutUrl"
-                  value="${org.codice.ddf.system.protocol}${org.codice.ddf.system.hostname}:8443/cas/logout"/>
+                  value="${org.codice.ddf.external.protocol}${org.codice.ddf.external.hostname}:8443/cas/logout"/>
     </bean>
 
     <jaxrs:server id="restService" address="/cas">

diff --git a/platform/security/cas/security-cas-client/src/main/resources/OSGI-INF/metatype/metatype.xml b/platform/security/cas/security-cas-client/src/main/resources/OSGI-INF/metatype/metatype.xml
@@ -35,13 +35,13 @@
         </AD>
 
         <AD name="CAS Server Logout URL:" id="casServerLogoutUrl" required="true" type="String"
-            default="https://localhost:8443/cas/logout"
+            default="${org.codice.ddf.external.protocol}${org.codice.ddf.external.hostname}:8443/cas/logout"
             description="URL of the CAS logout page (generally ends in /logout). Authenticated users
                         are redirected to this URL upon logout.">
         </AD>
 
         <AD name="Proxy Callback URL:" id="proxyCallbackUrl" required="true" type="String"
-            default="${org.codice.ddf.external.protocol}${org.codice.ddf.external.hostname}:${org.codice.ddf.external.port}/sso"
+            default="${org.codice.ddf.system.protocol}${org.codice.ddf.system.hostname}:${org.codice.ddf.system.port}/sso"
             description="The URL to which CAS should send proxy granting tickets when requested
              			      by the CAS client.">
         </AD>