#30969 adding the relay state as a redirect (#31007)

Now we are taking the relay state as an url and redirect to it if present
dotCMS · Dec 27, 2024 · 21db433 · 21db433
1 parent afa9dfa
commit 21db433
Showing 1 changed file with 24 additions and 17 deletions.
diff --git a/dotCMS/src/main/java/com/dotcms/auth/providers/saml/v1/DotSamlResource.java b/dotCMS/src/main/java/com/dotcms/auth/providers/saml/v1/DotSamlResource.java
@@ -17,6 +17,7 @@
 import com.dotmarketing.exception.DoesNotExistException;
 import com.dotmarketing.exception.DotSecurityException;
 import com.dotmarketing.util.Logger;
+import com.dotmarketing.util.UtilMethods;
 import com.dotmarketing.util.WebKeys;
 import com.google.common.annotations.VisibleForTesting;
 import com.liferay.portal.model.User;
@@ -212,30 +213,36 @@ public void processLogin(@PathParam("idpConfigId") final String idpConfigId,
 					// Add session based user ID to be used on the redirect.
 					session.setAttribute(identityProviderConfiguration.getId() + DotSamlConstants.SAML_USER_ID, user.getUserId());
 
-					String loginPath = (String) session.getAttribute(WebKeys.REDIRECT_AFTER_LOGIN);
-					Logger.debug(this,"LoginPath: " + loginPath);
-					if (null == loginPath) {
-						if (identityProviderConfiguration.containsOptionalProperty(REDIRECT_AFTER_LOGIN_CONFIG)) {
-							loginPath = identityProviderConfiguration.getOptionalProperty(REDIRECT_AFTER_LOGIN_CONFIG).toString();
-						}else {
-							// At this stage we cannot determine whether this was a front
-							// end or back end request since we cannot determine
-							// original request.
-							//
-							// REDIRECT_AFTER_LOGIN should have already been set in relay
-							// request to IdP. 'autoLogin' will check the ORIGINAL_REQUEST
-							// session attribute.
-							loginPath = DotSamlConstants.DEFAULT_LOGIN_PATH;
+					String loginPath = httpServletRequest.getParameter("RelayState");
+					Logger.debug(this, "RelayState, LoginPath: " + loginPath);
+					if (!UtilMethods.isSet(loginPath)) {
+
+						loginPath = (String) session.getAttribute(WebKeys.REDIRECT_AFTER_LOGIN);
+						Logger.debug(this, "REDIRECT_AFTER_LOGIN, LoginPath: " + loginPath);
+						if (null == loginPath) {
+							if (identityProviderConfiguration.containsOptionalProperty(REDIRECT_AFTER_LOGIN_CONFIG)) {
+								loginPath = identityProviderConfiguration.getOptionalProperty(REDIRECT_AFTER_LOGIN_CONFIG).toString();
+							} else {
+								// At this stage we cannot determine whether this was a front
+								// end or back end request since we cannot determine
+								// original request.
+								//
+								// REDIRECT_AFTER_LOGIN should have already been set in relay
+								// request to IdP. 'autoLogin' will check the ORIGINAL_REQUEST
+								// session attribute.
+								loginPath = DotSamlConstants.DEFAULT_LOGIN_PATH;
+							}
+						} else {
+
+							session.removeAttribute(WebKeys.REDIRECT_AFTER_LOGIN);
 						}
-					} else {
-
-						session.removeAttribute(WebKeys.REDIRECT_AFTER_LOGIN);
 					}
 
 					Logger.debug(this, ()-> "Doing login to the user " + (user != null? user.getEmailAddress() : "unknown"));
 					this.samlHelper.doLogin(httpServletRequest, httpServletResponse,
 							identityProviderConfiguration, user, APILocator.getLoginServiceAPI());
 
+					Logger.debug(this, "Final, LoginPath: " + loginPath);
 					RedirectUtil.sendRedirectHTML(httpServletResponse, loginPath);
 					return;
 				}