-
Notifications
You must be signed in to change notification settings - Fork 389
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
java-saml core depends on servlet-api, making it less reusable #65
Comments
The v1 had the AuthRequest and Response On the python-saml toolkit we had a similar issue, because each web framework (django, flask, ..) has it own request object, so we created a custom request object, with the server data that the toolkit needs I thought that HttpServletRequest and HttpServletResponse were quite standard, but if there are more scenarios I see 3 alternatives:
@miszobi what do you think on that issue? |
Thanks, I hadn't looked closely enough when I raised this issue. I did try to upgrade to v2 yesterday and while I can use I've just pushed a proposal in PR #71 to how I think this can work without changing the design of the library too much. This is basically the same as option (2) above except I have simply removed the servlet dependency from the low-level AuthRequest and SamlResponse, leaving Let me know what you think @pitbulk . I'd like to continue down this track if you're happy with this change. |
The approach in #71 looks good to me. It separates out the dependency on |
I'm working on pending classes (LogoutRequest and LogoutResponse). |
Now LogoutRequest and LogoutResponse no longer depend on javax.servlet. My unique doubt is about the addParameter method. I think it should modify the HttpRequest object instead of returning a new one. |
Nice. The reasoning behind addParameter returning a copy is to allow At the end of the day this is a preference as I've found from experience that systems built on immutable object are easier to understand and more maintainable and understandable than those using mutable object. So personally I would recommend moving in the other direction (making other classes immutable where possible) instead of making HttpRequest mutable, though I am not going to fall on my sword for this. :) |
Ok, I added a removeParameter that I think is not against that immutable philosophy at all. Please review my PR. I will merge it at the end of the week and plan also to add the pending docunentation. |
Sorry I only had time to look at the PR now, looks good! Thanks for this—I will integrate the new v2 into our app, hopefully this will yield further contributions :) |
In v1 java-saml takes care of generating SSO URLs and validating SAMLResponses and leaves it up to the caller to perform the necessary redirects. This makes the library simple and reusable because it has a single responsibility (how to build SSO requests and understand the responses) and does not bring along many other dependencies.
Currently in the v2 branch most classes are now dependent on accessing the
HttpServletRequest
andHttpServletResponse
directly, which means they now have an additional responsibilities like performing redirects, invalidating sessions, etc. The Java ecosystem is much more than just Servlet containers these days but adding this dependency excludes anyone that is not running in a traditional Servlet environment.To give an example, I have used v1 in a Scala application that does not use a Servlet container and I chose to use the OneLogin toolkit precisely because it did not have unnecessary dependencies (otherwise I would've used Spring Security SAML or OpenSAML directly). I can not use v2 at all currently because I don't have a
HttpServletRequest
available to pass to the toolkit.I propose to remove the servlet dependency from the core module, which should only know how to build SSO/SLO requests (independently of the tech stack in use) and understand the responses. At the same time I would add a java-saml-servlet module with a set of "controller" classes that use the core module and call the servlet APIs to perform redirect, etc. By separating the responsibilities of the two modules, the unit tests for each one will become simpler as well.
Thoughts?
The text was updated successfully, but these errors were encountered: