From 12f2a25ddb97bf8e9dd73808449b234eeb443768 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20D=C3=A9nari=C3=A9?= Date: Fri, 22 Mar 2024 16:54:57 +0100 Subject: [PATCH] fix: SAML Logout not working - EXO-70293 Before this fix, when login out from saml, the request /portal/doling?GLO=true try to flush 3 cookies (JSESSIONID, rememberme, and oauth_rememberme), do setCookie with empty value. This not flush cookie in browser because cookies path is '/' and not '/portal' In addition, there is one more cookie to flush, which currently recreate the user session. This commit use the correct path for the cookies and add the JSESSIONIDSSO cookie which should be flushed. Resolves meeds-io/meeds-1771 --- .../sso/agent/saml/PortalSAML2LogOutHandler.java | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/sso-saml-plugin/src/main/java/org/gatein/sso/agent/saml/PortalSAML2LogOutHandler.java b/sso-saml-plugin/src/main/java/org/gatein/sso/agent/saml/PortalSAML2LogOutHandler.java index 487f1f960..540e0471c 100644 --- a/sso-saml-plugin/src/main/java/org/gatein/sso/agent/saml/PortalSAML2LogOutHandler.java +++ b/sso-saml-plugin/src/main/java/org/gatein/sso/agent/saml/PortalSAML2LogOutHandler.java @@ -66,6 +66,8 @@ public class PortalSAML2LogOutHandler extends SAML2LogOutHandler private static final String OAUTH_COOKIE_NAME = "oauth_rememberme"; + private static final String JSESSIONIDSSO_COOKIE_NAME = "JSESSIONIDSSO"; + private final SPLogOutHandler sp = new SPLogOutHandler(); private static Log log = ExoLogger.getLogger(PortalSAML2LogOutHandler.class); @@ -146,7 +148,9 @@ protected void portalLogout(HttpServletRequest request, HttpServletResponse resp try { - ServletContainerFactory.getServletContainer().logout(request, response); + if (request.getRemoteUser()!=null) { + ServletContainerFactory.getServletContainer().logout(request, response); + } } catch (Exception e) { @@ -155,9 +159,15 @@ protected void portalLogout(HttpServletRequest request, HttpServletResponse resp // Remove rememberme cookie Cookie cookie = new Cookie(COOKIE_NAME, ""); - cookie.setPath(request.getContextPath()); + cookie.setPath("/"); cookie.setMaxAge(0); response.addCookie(cookie); + + // Remove JSESSIONIDSSO cookie + Cookie jsessionIdSSOCookie = new Cookie(JSESSIONIDSSO_COOKIE_NAME, ""); + jsessionIdSSOCookie.setPath("/"); + jsessionIdSSOCookie.setMaxAge(0); + response.addCookie(jsessionIdSSOCookie); // Remove oauth cookie Cookie oauthCookie = new Cookie(OAUTH_COOKIE_NAME, "");