Nazzareno Sileno created GEOS-6189 |
Issue Type: |
Bug |
Affects Versions: |
2.4.2 |
Assignee: |
|
Attachments: |
CAS3dyLogoutIssue.patch, recordSessionOnLogoutIssue.patch |
Components: |
Security |
Created: |
25/Nov/13 1:10 PM |
Description: |
Looking at code on GeoServerCasAuthenticationFilter seems that there is an issue destroying the session. { // do we participate LOGGER.info(“Single Sign Out received from CAS server –> starting log out”); handler.destroySession(httpReq); LogoutFilterChain logOutChain = (LogoutFilterChain) getSecurityManager().getSecurityConfig().getFilterChain().getRequestChainByName(“webLogout”); logOutChain.doLogout(getSecurityManager(), httpReq, httpRes,getName()); } else … destroys the session before calling the chain logout that probably needs to work using the session. The solution is to postpone the destroy instruction, in this way it seems to work. Another issue is that if a third party applications executes logout switching between different users more than twice the GS at third attempt is not capable to recognize the new logged user but it logs in the previous user. { //getHandler().recordSession(httpReq); if (LOGGER.isLoggable(Level.INFO))… } Can someone explain to me the utility of this code? Why we need to record the session after logout operation? |
Environment: |
Linux Mint Petra |
Fix Versions: |
2.4.2 |
Project: |
|
Labels: |
cas |
Priority: |
Major |
Reporter: |