How to capture an incoming SSO SAML token in Vaadin 23

aussieengineer · October 22, 2024, 12:17am

Hey all,

I’m progressing with my upgrade of my Vaadin 14 application to Vaadin 23, on the road to Vaadin 24.

In the older version, I have support for SSO sign on, where the SAML token is submitted to the application as a request parameter.
I used to be able to pull this request out as the UI was being instantiated and allocate it to a Session attribute, and then avoid login display, instead forwarding to the SAML processing functionality for authentication.

I’ve been trying to get this working in the new Vaadin 23 world, but have been having issues finding how to intercept that inbound request now.

I tried implementing a BeforeEventObserver on the main layout of the application (defined as the Route(“”) for the application. It is what decides whether to show the login page, or forward to the application proper if pre-existing authentication is found).

Querying the Parameter map at this point shows no sign of the incoming token.

I previously tried to having someting similar in a VaadinServiceInitListener, inside the UI Init listener, but it also was not finding the parameter there.

Would anyone be able to advise where I would be able to find this?

The situation for my application is that the SSO IdP sends a simple POST form to the application URL, with the encoded token in a named parameter.

Thanks.

Update:
I ended up finding this issue report that sounded similar.

github.com/vaadin/flow

POST parameter not coming through to a Vaadin View on Vaadin 24. Migration issue from Vaadin 14.

opened 07:19PM - 01 Nov 23 UTC

closed 05:53PM - 22 Jan 24 UTC

JohnMelody

bug Impact: Low Severity: Minor Released with Vaadin 23.3.33 Released with Vaadin 22.2.1

### Description of the bug I am porting a Vaadin 14 application to Vaadin 24 …and I have run into a problem with a view that was accessed using POST request with an "application/x-www-form-urlencoded" parameter in the POST body. The parameter contained a JSON structure. The receiving view received the parameter and unpacked the JSON structure to get the details. All this worked on Vaadin 14 and does not on Vaadin 24. I had a discussion on this over on Discord and have ended up here. https://discord.com/channels/732335336448852018/1009201939092865084/threads/1169275719310917672 The next image displays how the view was accessed via the browser - the route was /payments-list/external-api ![image](https://github.com/vaadin/flow/assets/28655282/e965f8b0-41b0-4d29-889e-1c03f8b400a2) You can see it was a post request and the payload contained the parameter with the JSON structure. ![image](https://github.com/vaadin/flow/assets/28655282/6b6381c9-ccad-4b30-ab2d-99336d2c31ec) On the server side receiving this request, the following is the log from this POST request. It seems that along the way the POST got converted into a GET with the parameter as a query parameter and everything worked perfectly from there on. The calling browser application was able to use POST to send the data in a JSON structure and the receiver was able to unpack the data and use it. The class view implementing the /payments-list/external-api rout is ExApiPaymentList. and the following is a log from its setParameter method of this class view. The parameter is presented as a query parameter - if I run the following code it gets the parameters as query parameters. ``` Location location = event.getLocation(); MLOGGER.info("Original Location = " + location.getPathWithQueryParameters()); ``` ``` 01-18:40:46.449 [https-jsse-nio-8443-exec-20] INFO c.S.a.u.c.u.v.x.e.ExApiPaymentsList.<init> - In ExApiPaymentsList Constructor ... 01-18:40:46.496 [https-jsse-nio-8443-exec-20] INFO c.S.a.u.c.u.v.x.e.ExApiPaymentsList.setParameter - Original Location = payments-list/external-api?payRequest=%7B%22sid%22%3A%22000000%22%2C%22bu%22%3A%22MKCC%22%2C%22agentId%22%3A%22TestAgent%22%2C%22rurl%22%3A%22https%3A%2F%2Farp.sybernet.com%2Fweblaunch-1.0.4%2Fwoklaunch%22%2C%22Email%22%3A%22john%40sybernet.ie%22%2C%22ccEmail%22%3A%22%22%2C%22agentEmail%22%3A%22support%40sybernet.ie%22%2C%22pcn%22%3A%22091514400%22%2C%22acn%22%3A%22091730886%22%2C%22logurl%22%3A%22https%3A%2F%2Farp.sybernet.com%2Flogpayment%22%2C%22icb%22%3A%22false%22%2C%22lineitems%22%3A%5B%7B%22PmtTyp%22%3A%22CS004%22%2C%22Val1%22%3A%221234%22%2C%22Val2%22%3A%22%22%2C%22Am%22%3A%2212.00%22%7D%5D%2C%22digest%22%3A%2266b09ea9e4bc8279a752db5b089e457f3a68a9ae50f776b38a6d842d314b4d4016bc83d734888c1318b9170aa061bbbd70654a1c67c9c42d47ad2a8d5f7f9940%22%7D ``` However, I cannot get Vaadin 24 to do the same thing. ### Expected behavior I was hoping that Vaadin 24 would work exactly the same as Vaadin 14 in this case. However when the request gets through Spring Security it seems to be converted to a get without the query parameters. The following is log from a simple hello world example built using the start.vaadin.com where the helloWorld class (@Route("hello")) was configured to accept a parameter. I simplified the parameter to be just {"sid":"000000"}. In any case the Vaadin 24 application seems to do GET on the hello route but doesn't include the parameters like in Vaadin 14. ``` 01-17:35:53.429 [https-jsse-nio-8443-exec-27] DEBUG o.s.w.f.CommonsRequestLoggingFilter.beforeRequest - Before request [POST /testaccess-1.0.0/hello, client=x.x.x.x] 01-17:35:53.431 [https-jsse-nio-8443-exec-27] DEBUG c.v.f.s.VaadinServletConfiguration$RootExcludeHandler.getHandler - Mapped to org.springframework.web.servlet.mvc.ServletForwardingController@77b1b482 01-17:35:53.456 [https-jsse-nio-8443-exec-27] INFO c.v.f.s.SpringInstantiator.getI18NProvider - The number of beans implementing 'I18NProvider' is 0. Cannot use Spring beans for I18N, falling back to the default behavior 01-17:35:53.543 [https-jsse-nio-8443-exec-27] DEBUG o.s.w.f.CommonsRequestLoggingFilter.afterRequest - **After request [POST /testaccess-1.0.0/hello, client=x.x.x.x, session=74966975AC4835CD7288F38BD9448F24, payload=payRequest=%7B%22sid%22%3A%22000000%22%7D]** 01-17:35:53.574 [https-jsse-nio-8443-exec-23] TRACE o.s.s.w.FilterChainProxy.getFilters - Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@716a22e0, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7c5aeef0, org.springframework.security.web.context.SecurityContextHolderFilter@e513c25, org.springframework.security.web.header.HeaderWriterFilter@610339b7, org.springframework.security.web.csrf.CsrfFilter@74951c69, org.springframework.security.web.authentication.logout.LogoutFilter@dc20347, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@39c3b4f5, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@67421256, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4089f600, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@72cae7f7, org.springframework.security.web.access.ExceptionTranslationFilter@76a681a1, org.springframework.security.web.access.intercept.AuthorizationFilter@115696a]] (1/1) **01-17:35:53.574 [https-jsse-nio-8443-exec-23] DEBUG o.s.s.w.FilterChainProxy.doFilterInternal - Securing GET /?v-r=init&location=hello&query=** ``` ### Minimal reproducible example I am happy to build two applications one on 14 and one on 24 but there may be a fundamental issue where this will not work on Vaadin 24. ### Versions - Vaadin / Flow version: 24.2 - Java version: 17 - OS version: Oracle 8 LInux - Browser version (if applicable): Chrome 118 - Application Server (if applicable): Tomcat - IDE (if applicable): Eclipse

Where the resolution is to set the Maven production goal to eager server load in order to forward on the paramters coming in.

This worked, so now I see the HTTP request inbound contains the token I need.

Of course turning on this means the application now hangs and doesn’t load any page Login or otherwise. But I’ll keep looking at that. This may have been a step forward.

SimonMartinelli · October 22, 2024, 4:58am

Getting the saml token in the Vaadin view seems a bit counter intuitive to me.

Spring Security has saml support and uses a filter. https://www.baeldung.com/spring-security-saml

marcoc_753 · October 22, 2024, 5:13am

And if your application isn’t using Spring, I suggest to move the SAML handling to a servlet filter or a Vaadin RequestHandler

aussieengineer · October 22, 2024, 5:21am

Thanks for your response,

Yes, I used to do it like that under Vaadin 14, but after upgrading to Vaadin 23 it no longer functioned.
So I’ve been trying to figure out where best to place the initial ‘grab’ of the parameter to then make it available to progress the login.

I am going to have to figure it out, as I need to revert that eager setting, the rest of the application no longer functions with that in place.

As to the other replier, I do not use Spring.
This application has over it’s lifetime been working with Vaadin 6 → 7 → 14 and now looking at moving to 24.

aussieengineer · October 22, 2024, 5:39am

Just an update. Thanks for the input again.
Adding a request handler in my v23 VaadinServiceInitListener was a big help.

I wouldn’t have come across that without your offhand suggestion, so thanks for that.

I can see it is getting access to the token at least now, so just need to tweak some things after.

Big help, thanks!!