check logout url against a regex pattern

htrc · Apr 2, 2014 · bae5d3a · bae5d3a
1 parent 8608322
commit bae5d3a
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/play-pac4j_java/src/main/java/org/pac4j/play/CallbackController.java b/play-pac4j_java/src/main/java/org/pac4j/play/CallbackController.java
@@ -135,6 +135,7 @@ public static Result logoutAndOk() {
     /**
      * This method logouts the authenticated user and send him to the url defined in the
      * {@link Constants#REDIRECT_URL_LOGOUT_PARAMETER_NAME} parameter name or to the <code>defaultLogoutUrl</code>.
+     * This parameter is matched against the {@link Config.getLogoutUrlPattern()}.
      * 
      * @return the redirection to the "logout url"
      */
@@ -145,7 +146,11 @@ public static Result logoutAndRedirect() {
         final String[] values = parameters.get(Constants.REDIRECT_URL_LOGOUT_PARAMETER_NAME);
         String value = null;
         if (values != null && values.length == 1) {
-            value = values[0];
+            String value0 = values[0];
+            // check the url pattern
+            if (Config.getLogoutUrlPattern().matcher(value0).matches()) {
+                value = value0;
+            }
         }
         return redirect(defaultUrl(value, Config.getDefaultLogoutUrl()));
     }

diff --git a/play-pac4j_java/src/main/java/org/pac4j/play/Config.java b/play-pac4j_java/src/main/java/org/pac4j/play/Config.java
@@ -16,6 +16,7 @@
 package org.pac4j.play;
 
 import org.pac4j.core.client.Clients;
+import java.util.regex.Pattern;
 
 /**
  * This class gathers all the configuration.
@@ -27,10 +28,15 @@ public final class Config {
 
     private final static String DEFAULT_URL = "/";
 
+    // just relative urls
+    private final static String DEFAULT_LOGOUT_URL_PATTERN = "/.*";
+
     private static String defaultSuccessUrl = DEFAULT_URL;
 
     private static String defaultLogoutUrl = DEFAULT_URL;
 
+    private static Pattern logoutUrlPattern = Pattern.compile(DEFAULT_LOGOUT_URL_PATTERN);
+
     // 1 hour = 3600 seconds
     private static int profileTimeout = 3600;
 
@@ -102,6 +108,14 @@ public static void setErrorPage403(final String errorPage403) {
         Config.errorPage403 = errorPage403;
     }
 
+    public static Pattern getLogoutUrlPattern() {
+        return logoutUrlPattern;
+    }
+
+    public static void setLogoutUrlPattern(String logoutUrlPattern) {
+        Config.logoutUrlPattern = Pattern.compile(logoutUrlPattern);
+    }
+
     /**
      * Gets the prefix used for all cache operations
      *