From f5aae53ca1680db61de212befb5f1dba62dd21e3 Mon Sep 17 00:00:00 2001
From: rajesh <rajeshkhoreupwork@gmail.com>
Date: Wed, 9 Oct 2024 12:38:05 -0700
Subject: [PATCH 1/2] Updated config

---
 .../net/gepafin/tendermanagement/config/SecurityConfig.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/net/gepafin/tendermanagement/config/SecurityConfig.java b/src/main/java/net/gepafin/tendermanagement/config/SecurityConfig.java
index ec38b268..91424195 100644
--- a/src/main/java/net/gepafin/tendermanagement/config/SecurityConfig.java
+++ b/src/main/java/net/gepafin/tendermanagement/config/SecurityConfig.java
@@ -107,7 +107,7 @@ public class SecurityConfig {
                 .requestMatchers("/swagger-ui/**").permitAll() // Swagger docs
                 .requestMatchers("/v1/api-docs/**").permitAll() // API docs
                 .anyRequest().authenticated())
-                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED))
+                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .addFilterBefore(corsFilter(), UsernamePasswordAuthenticationFilter.class)
                 .addFilterBefore(new JWTFilter(tokenProvider), UsernamePasswordAuthenticationFilter.class)
                 // Add SAML2 login configuration (for BENEFICIARI)

From fb71a70caa4b54823ef49de8e8940bd54fdab7cc Mon Sep 17 00:00:00 2001
From: rajesh <rajeshkhoreupwork@gmail.com>
Date: Wed, 9 Oct 2024 12:56:01 -0700
Subject: [PATCH 2/2] Updated config

---
 .../config/SecurityConfig.java                | 51 +++++++++++++------
 1 file changed, 36 insertions(+), 15 deletions(-)

diff --git a/src/main/java/net/gepafin/tendermanagement/config/SecurityConfig.java b/src/main/java/net/gepafin/tendermanagement/config/SecurityConfig.java
index 91424195..59132951 100644
--- a/src/main/java/net/gepafin/tendermanagement/config/SecurityConfig.java
+++ b/src/main/java/net/gepafin/tendermanagement/config/SecurityConfig.java
@@ -96,32 +96,53 @@ public class SecurityConfig {
     }
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-        http.csrf(AbstractHttpConfigurer::disable).authorizeHttpRequests(auth -> auth
-                // Allow public access to the login endpoints
+        // Apply stateless session management globally
+        http.csrf(AbstractHttpConfigurer::disable)
+            .authorizeHttpRequests(auth -> auth
+                // Public endpoints
                 .requestMatchers("/v1/user/login").permitAll() // JWT-based login
                 .requestMatchers("/v1/user").permitAll() // User registration
                 .requestMatchers("/v1/user/sso/validate/existing-user/{token}").permitAll()
                 .requestMatchers("/v1/user/sso/validate/new-user/{token}").permitAll()
-                .requestMatchers("/v1/saml/**").permitAll() // JWT-based login
-                .requestMatchers("/saml2/**").permitAll() // SAML login initiation
                 .requestMatchers("/swagger-ui/**").permitAll() // Swagger docs
                 .requestMatchers("/v1/api-docs/**").permitAll() // API docs
-                .anyRequest().authenticated())
-                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-                .addFilterBefore(corsFilter(), UsernamePasswordAuthenticationFilter.class)
-                .addFilterBefore(new JWTFilter(tokenProvider), UsernamePasswordAuthenticationFilter.class)
-                // Add SAML2 login configuration (for BENEFICIARI)
-                /*
-                 * .saml2Login(saml -> saml.loginPage("/saml/login") // Entry point for SAML
-                 * login .defaultSuccessUrl("/") // Redirect after successful SAML login );
-                 */
-				.saml2Login(saml -> saml.defaultSuccessUrl("/").successHandler(samlSuccessHandler)
-						.failureHandler(samlFailureHandler));
 
+                // SAML-related endpoints
+                .requestMatchers("/v1/saml/**", "/saml2/**").permitAll()
+
+                // Other authenticated requests
+                .anyRequest().authenticated())
+
+            // Globally use stateless session management for most requests
+            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+
+            // SAML2 login configuration
+            .saml2Login(saml -> saml
+                .defaultSuccessUrl("/")
+                .successHandler(samlSuccessHandler)
+                .failureHandler(samlFailureHandler));
 
         return http.build();
     }
 
+    // Add another SecurityFilterChain for SAML requests with stateful session management
+    @Bean
+    public SecurityFilterChain samlSecurityFilterChain(HttpSecurity http) throws Exception {
+        // Apply stateful session management for SAML-related endpoints
+        http
+            .securityMatcher("/v1/saml/**", "/saml2/**") // Match SAML requests
+            .authorizeHttpRequests(auth -> auth
+                .requestMatchers("/v1/saml/**", "/saml2/**").permitAll()
+                .anyRequest().authenticated())
+
+            // Use stateful session management for SAML requests
+            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED));
+
+        return http.build();
+    }
+
+
+
     @Bean
     public OpenAPI customOpenAPI() {
         return new OpenAPI()