fix: SAML Logout not working - EXO-60293

Before this fix, when login out from saml, the request /portal/doling?GLO=true try to flush 3 cookies (JSESSIONID, rememberme, and oauth_rememberme), do setCookie with empty value. This not flush cookie in browser because cookies path is '/' and not '/portal' In addition, there is one more cookie to flush, which currently recreate the user session. This commit use the correct path for the cookies and add the JSESSIONIDSSO cookie which should be flushed. Resolves meeds-io/meeds-1771
Meeds-io · Mar 25, 2024 · aa15664 · aa15664
1 parent 6fc7d16
commit aa15664
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/agent/src/main/java/org/gatein/sso/agent/saml/PortalSAML2LogOutHandler.java b/agent/src/main/java/org/gatein/sso/agent/saml/PortalSAML2LogOutHandler.java
@@ -66,6 +66,8 @@ public class PortalSAML2LogOutHandler extends SAML2LogOutHandler
 
   private static final String OAUTH_COOKIE_NAME = "oauth_rememberme";
 
+  private static final String JSESSIONIDSSO_COOKIE_NAME = "JSESSIONIDSSO";
+
   private final SPLogOutHandler sp = new SPLogOutHandler();
 
   private static Log          log               = ExoLogger.getLogger(PortalSAML2LogOutHandler.class);
@@ -146,7 +148,9 @@ protected void portalLogout(HttpServletRequest request, HttpServletResponse resp
 
       try
       {
-         ServletContainerFactory.getServletContainer().logout(request, response);
+        if (request.getRemoteUser()!=null) {
+          ServletContainerFactory.getServletContainer().logout(request, response);
+        }
       }
       catch (Exception e)
       {
@@ -155,9 +159,15 @@ protected void portalLogout(HttpServletRequest request, HttpServletResponse resp
 
       // Remove rememberme cookie
       Cookie cookie = new Cookie(COOKIE_NAME, "");
-      cookie.setPath(request.getContextPath());
+      cookie.setPath("/");
       cookie.setMaxAge(0);
       response.addCookie(cookie);
+
+     // Remove JSESSIONIDSSO cookie
+     Cookie jsessionIdSSOCookie = new Cookie(JSESSIONIDSSO_COOKIE_NAME, "");
+     jsessionIdSSOCookie.setPath("/");
+     jsessionIdSSOCookie.setMaxAge(0);
+     response.addCookie(jsessionIdSSOCookie);
 
       // Remove oauth cookie
       Cookie oauthCookie = new Cookie(OAUTH_COOKIE_NAME, "");