OPCustomFilterRegistration

1 V4.0+
2 Earlier Versions
- 2.1 Activation
- 2.2 Filter Mappings
- 2.3 Filter Configuration

V4.0+

With the V4 release of the plugin, the same filter used internally in the IdP is used to handle response header customization, so the original custom filter defined in the plugin has been removed. In the unlikely event that the original plugin hook was used to install a custom filter, use of web.xml to do this is suggested instead.

The original system properties created to control the installation of, and mappings for, the OP filter are no longer supported in this release and are ignored. By default, the plugin automatically extends the IdP’s known set of URL prefixes to apply its response headers to by adding the /profile/oidc/ and /profile/oauth2/ prefixes to the built-in set.

In the event that customizing the conditions under which the response header filter runs is required, the condition used to evaluate that can be overridden via a property named idp.responseHeaderCondition that references a bean of type Predicate<ServletRequest>. This predicate could optionally be injected with the built-in condition via the bean named shibboleth.UserFacingPrefixPredicate in order to delegate decisions to it.

Earlier Versions

Starting with V3.1, the OP plugin automatically registers a configurable Filter attached to its endpoints.

Activation

The filter registration is enabled by default, but the feature can be deactivated via a Java system property:

-Dnet.shibboleth.idp.plugin.oidc.op.servlet.RegisterFilterServletContextInitializer=disabled

Filter Mappings

By default, the filter is mapped to all /profile/oidc/* and /profile/oauth2/* endpoints, but the list can be customized via a space-separated list in the net.shibboleth.idp.plugin.oidc.op.servlet.RegisterFilterServletContextInitializer.mappings Java system property.

For instance, to register the filter for /profile/custom/* endpoints as well, the following system property would be declared:

"-Dnet.shibboleth.idp.plugin.oidc.op.servlet.RegisterFilterServletContextInitializer.mappings=/profile/oauth2/* /profile/oidc/* /profile/custom/*"

Filter Configuration

The filter is configured by defining a bean named via the idp.oidc.ResponseHeaderFilter property.

One example use case is to register custom HTTP response headers. In order to add the same HTTP headers that are by default added to the SAML and CAS endpoints, the idp.oidc.ResponseHeaderFilter property would be set to shibboleth.ResponseHeaderFilter:

idp.oidc.ResponseHeaderFilter = shibboleth.ResponseHeaderFilter

By default, this configures the values defined by the idp.hsts, idp.frameoptions and idp.csp properties into the corresponding HTTP headers (see https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1280180837 ) and applies them to the OP plugin as well as the original IdP endpoints.