Files
Stirling-PDF/testing/compose/docker-compose-keycloak-saml.yml
c294e9b2cb fix file sharing bug (#6161)
# Description of Changes

Fixes share-link navigation for SSO users. Reported on v2.9.2 with
`SSOAutoLogin: true`: clicking a `/share/<token>` link in an email
redirected the user to the home page after SSO instead of the shared
file.

## Root cause

Three compounding issues had to be fixed together; the first was the
initial symptom but the other two only surfaced during live
verification.

1. **Spring Security blocked `/share/<token>` for unauthenticated
users.** The route wasn't in `RequestUriUtils.isPublicAuthEndpoint`, so
the server 302'd straight to `/login` before React could load
`ShareLinkPage`. The share URL was lost because `NullRequestCache` is
configured and never persisted the original destination.

2. **`httpErrorHandler` full-page-redirected to `/login?from=<path>` on
any unhandled 401** (fired by `LicenseContext`, `AppConfig`, etc. during
normal ShareLinkPage mount). That *did* preserve the return path — but
**Spring Security strips query strings from `/login`** (302 to bare
`/login`), so `?from=` never reached React. Confirmed via `curl -i
http://localhost:8080/login?from=xyz` → `Location: /login`.

3. **`AuthCallback.tsx` unconditionally `navigate("/")`** after the
SAML/OAuth round-trip, discarding any intended destination.

## Fix

**Backend** — make `/share/<token>` a public SPA bootstrap, data APIs
stay protected:
- `RequestUriUtils.isPublicAuthEndpoint` — permits `^/share/[^/]+/?$`
(tight regex, single token segment only; `/share/<token>/anything` stays
protected).
- `ReactRoutingController` — dedicated `@GetMapping("/share/{token}")`
mirroring `/auth/callback`.
- `/api/v1/storage/share-links/**` remains behind Spring Security with
its existing `canAccessShareLink` check.

**Frontend** — persist the return path across full-page redirects via
`sessionStorage` (same-origin, survives the SSO round-trip):
- `httpErrorHandler.ts` — stashes current pathname to
`stirling_post_login_path` before the 401 → `/login` redirect.
- `springAuthClient.ts` — new `isSafePostLoginRedirect` /
`setPostLoginRedirectPath` / `consumePostLoginRedirectPath` helpers
(rejects protocol-relative URLs and auth-plumbing paths to guard against
open-redirect abuse).
- `Login.tsx` — on explicit user sign-in, read path from
`location.state` or `?from=` query and stash it; don't clobber an
already-stashed value.
- `AuthCallback.tsx` — consume the stashed path (single-use) and
`navigate(target)` instead of always `/`.


---

## Checklist

### General

- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings

### Documentation

- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)

### Translations (if applicable)

- [ ] I ran
[`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md)

### UI Changes (if applicable)

- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)

### Testing (if applicable)

- [ ] I have run `task check` to verify linters, typechecks, and tests
pass
- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/DeveloperGuide.md#7-testing)
for more details.

---------

Co-authored-by: EthanHealy01 <[email protected]>
2026-04-23 14:52:25 +01:00

162 lines
6.1 KiB
YAML

services:
keycloak-saml:
container_name: stirling-keycloak-saml
image: quay.io/keycloak/keycloak:24.0
command:
- start-dev
- --import-realm
environment:
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://keycloak-saml-db:5432/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: keycloak
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
KC_HOSTNAME: localhost
KC_HOSTNAME_PORT: 9080
KC_HOSTNAME_STRICT: "false"
KC_HTTP_ENABLED: "true"
KC_PROXY: edge
KC_HTTP_RELATIVE_PATH: "/"
ports:
- "9080:8080"
volumes:
- ./keycloak-realm-saml.json:/opt/keycloak/data/import/realm-export.json:ro
depends_on:
keycloak-saml-db:
condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/8080 && echo -e 'GET /realms/stirling-saml/protocol/saml/descriptor HTTP/1.1\\nHost: localhost\\nConnection: close\\n\\n' >&3 && timeout 2 cat <&3 | grep -q 'EntityDescriptor'"]
interval: 10s
timeout: 10s
retries: 30
start_period: 60s
networks:
- stirling-saml-test
keycloak-saml-db:
container_name: stirling-keycloak-saml-db
image: postgres:16-alpine
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: keycloak
healthcheck:
test: ["CMD-SHELL", "pg_isready -U keycloak"]
interval: 5s
timeout: 5s
retries: 10
networks:
- stirling-saml-test
stirling-pdf-saml:
container_name: stirling-pdf-saml-test
image: docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest
build:
context: ../..
dockerfile: docker/embedded/Dockerfile
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:8080$${SYSTEM_ROOTURIPATH:-''}/api/v1/info/status | grep -q 'UP'"]
interval: 5s
timeout: 10s
retries: 30
ports:
- "8080:8080"
volumes:
- ../../../stirling/keycloak-saml-test/data:/usr/share/tessdata:rw
- ../../../stirling/keycloak-saml-test/config:/configs:rw
- ../../../stirling/keycloak-saml-test/logs:/logs:rw
- ../../../stirling/keycloak-saml-test/storage:/storage:rw
- ./keycloak-saml-cert.pem:/app/keycloak-saml-cert.pem:ro
- ./saml-private-key.key:/app/saml-private-key.key:ro
- ./saml-public-cert.crt:/app/saml-public-cert.crt:ro
environment:
# Basic settings
DOCKER_ENABLE_SECURITY: "true"
SECURITY_ENABLELOGIN: "true"
SECURITY_LOGINMETHOD: "${SECURITY_LOGINMETHOD:-all}"
SYSTEM_DEFAULTLOCALE: "${SYSTEM_DEFAULTLOCALE:-en-US}"
SYSTEM_BACKENDURL: "http://localhost:8080"
# Enterprise License (required for SAML)
PREMIUM_KEY: "${PREMIUM_KEY:-00000000-0000-0000-0000-000000000000}"
PREMIUM_ENABLED: "true"
PREMIUM_PROFEATURES_SSOAUTOLOGIN: "${PREMIUM_PROFEATURES_SSOAUTOLOGIN:-false}"
# Storage + sharing (opt-in via start-saml-test.sh --with-storage)
STORAGE_ENABLED: "${STORAGE_ENABLED:-false}"
STORAGE_PROVIDER: "${STORAGE_PROVIDER:-local}"
STORAGE_LOCAL_BASEPATH: "${STORAGE_LOCAL_BASEPATH:-/storage}"
STORAGE_SHARING_ENABLED: "${STORAGE_SHARING_ENABLED:-false}"
STORAGE_SHARING_LINKENABLED: "${STORAGE_SHARING_LINKENABLED:-false}"
STORAGE_SHARING_EMAILENABLED: "${STORAGE_SHARING_EMAILENABLED:-false}"
STORAGE_SHARING_LINKEXPIRATIONDAYS: "${STORAGE_SHARING_LINKEXPIRATIONDAYS:-3}"
STORAGE_SIGNING_ENABLED: "${STORAGE_SIGNING_ENABLED:-false}"
# Required for share-link creation (FileStorageService.isShareLinksEnabled)
SYSTEM_FRONTENDURL: "${SYSTEM_FRONTENDURL:-}"
# Debug Logging
LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY_SAML2: DEBUG
LOGGING_LEVEL_ORG_OPENSAML: DEBUG
LOGGING_LEVEL_STIRLING_SOFTWARE_PROPRIETARY_SECURITY: DEBUG
LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY: DEBUG
UI_APPNAME: Stirling-PDF SAML Test
UI_HOMEDESCRIPTION: Keycloak SAML Test Instance
UI_APPNAMENAVBAR: Stirling-PDF SAML
SYSTEM_MAXFILESIZE: "100"
# SAML Configuration (Keycloak)
SECURITY_SAML2_ENABLED: "true"
SECURITY_SAML2_AUTOCREATEUSER: "true"
SECURITY_SAML2_BLOCKREGISTRATION: "false"
SECURITY_SAML2_PROVIDER: "keycloak"
SECURITY_SAML2_REGISTRATIONID: "keycloak"
# IdP Issuer must match what's in the SAML metadata
SECURITY_SAML2_IDP_ISSUER: "http://localhost:9080/realms/stirling-saml"
# Entity ID must match what's configured in Keycloak
SECURITY_SAML2_IDP_ENTITYID: "http://localhost:9080/realms/stirling-saml"
# Metadata URL for Keycloak realm (use service name for internal)
SECURITY_SAML2_IDP_METADATAURI: "http://keycloak-saml:8080/realms/stirling-saml/protocol/saml/descriptor"
# SSO/SLO URLs (required - metadata URI doesn't auto-populate these)
SECURITY_SAML2_IDPSINGLELOGINURL: "http://localhost:9080/realms/stirling-saml/protocol/saml"
SECURITY_SAML2_IDPSINGLELOGOUTURL: "http://localhost:9080/realms/stirling-saml/protocol/saml"
# Certificate file paths
SECURITY_SAML2_IDP_CERT: "/app/keycloak-saml-cert.pem"
SECURITY_SAML2_PRIVATEKEY: "/app/saml-private-key.key"
SECURITY_SAML2_SP_CERT: "/app/saml-public-cert.crt"
# SP Entity ID (this application)
SECURITY_SAML2_SP_ENTITYID: "http://localhost:8080"
# Assertion Consumer Service (ACS) URL
SECURITY_SAML2_SP_ACS: "http://localhost:8080/login/saml2/sso/keycloak"
# Single Logout Service URL
SECURITY_SAML2_SP_SLS: "http://localhost:8080/logout/saml2/slo"
# Disable OAuth (SAML only)
SECURITY_OAUTH2_ENABLED: "false"
# LibreOffice settings
PROCESS_EXECUTOR_AUTO_UNO_SERVER: "true"
PROCESS_EXECUTOR_SESSION_LIMIT_LIBRE_OFFICE_SESSION_LIMIT: "1"
# Permissions
PUID: 1002
PGID: 1002
UMASK: "022"
# Features
DISABLE_ADDITIONAL_FEATURES: "false"
METRICS_ENABLED: "true"
SYSTEM_GOOGLEVISIBILITY: "false"
SHOW_SURVEY: "false"
depends_on:
keycloak-saml:
condition: service_healthy
networks:
- stirling-saml-test
restart: on-failure:5
networks:
stirling-saml-test:
driver: bridge