From b4184b12a3a3440a5ea23b27b4a1224fe4da1fd6 Mon Sep 17 00:00:00 2001
From: juanf <juanf@ethz.ch>
Date: Thu, 30 Mar 2023 13:47:03 +0200
Subject: [PATCH] SSDM-13533: Disable SSO servlet by default

---
 .../sis/openbis/generic/server/SingleSignOnServlet.java  | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/server-application-server/source/java/ch/ethz/sis/openbis/generic/server/SingleSignOnServlet.java b/server-application-server/source/java/ch/ethz/sis/openbis/generic/server/SingleSignOnServlet.java
index 838e4257d3b..25aee1242c4 100644
--- a/server-application-server/source/java/ch/ethz/sis/openbis/generic/server/SingleSignOnServlet.java
+++ b/server-application-server/source/java/ch/ethz/sis/openbis/generic/server/SingleSignOnServlet.java
@@ -84,6 +84,8 @@ public class SingleSignOnServlet extends AbstractServlet
 
     public static final String DEFAULT_REDIRECT_URL = "webapp/eln-lims";
 
+    private static final String SINGLE_SIGN_ON_ENABLED_PROPERTY = "single-sign-on.enabled";
+
     private static final String SINGLE_SIGN_ON_REDIRECT_URL_TEMPLATE_PROPERTY = "single-sign-on.redirect-url-template";
 
     private static final String DEFAULT_SINGLE_SIGN_ON_REDIRECT_URL_TEMPLATE = "https://${host}/openbis/webapp/eln-lims";
@@ -103,9 +105,12 @@ public class SingleSignOnServlet extends AbstractServlet
 
     private Template template;
 
+    private boolean enabled;
+
     @Override
     protected void initServletContext(ServletContext servletContext)
     {
+        enabled = Boolean.parseBoolean(configurer.getResolvedProps().getProperty(SINGLE_SIGN_ON_ENABLED_PROPERTY, Boolean.toString(Boolean.FALSE)));
         template = new Template(configurer.getResolvedProps().getProperty(SINGLE_SIGN_ON_REDIRECT_URL_TEMPLATE_PROPERTY,
                 DEFAULT_SINGLE_SIGN_ON_REDIRECT_URL_TEMPLATE));
         template.createFreshCopy().bind("host", ""); // Check that template contains '${host}'
@@ -116,6 +121,10 @@ public class SingleSignOnServlet extends AbstractServlet
     protected void respondToRequest(HttpServletRequest request, HttpServletResponse response) throws Exception, IOException
     {
         operationLog.info("handle sso event");
+        if (!enabled) {
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            return;
+        }
         removeStaleSessions();
         String sessionId = getHeader(request, SESSION_ID_KEY, DEFAULT_SESSION_ID_KEY);
         synchronized (this)
-- 
GitLab