[wildfly-dev] Broken logout / HAL-60

[Jess Sightler]

This is currently the case. The server caches things such that subsequent connections (even without auth headers) can be accepted.

I have had a PR for a while that handles this somewhat abruptly (disables caching), and also fixes issues with logout when using BASIC auth (which wasn't handled):
https://github.com/wildfly/wildfly/pull/4745

This is also an issue in EAP.

----- Original Message -----
> From: "Jason Greene" <jgreene at redhat.com>
> To: "Harald Pehl" <hpehl at redhat.com>
> Cc: "Darran Lofthouse" <darran.lofthouse at redhat.com>, wildfly-dev at lists.jboss.org
> Sent: Friday, August 9, 2013 7:37:11 AM
> Subject: Re: [wildfly-dev] Broken logout / HAL-60
> 
> Hmm we need to look into a security issue then because that could mean that
> subsequent requests with incorrect credentials are somehow accepted when
> they should be rejected.
> 
> On Aug 9, 2013, at 5:06 AM, Harald Pehl <hpehl at redhat.com> wrote:
> 
> > I'm trying to fix the broken logout in the console
> > (https://issues.jboss.org/browse/HAL-60). With the switch to undertow, the
> > redirects in LogoutHandler do not longer work in Chrome and Safari. I came
> > up with a solution that adds a call to SecurityContext.logout() before
> > doing the redirects.
> > 
> > My changes are in PR #4879: https://github.com/wildfly/wildfly/pull/4897.
> > Can you take a look at my solution. I don't know if that's an appropriate
> > solution to get rid of the digest authentication information. At least it
> > does work across common browsers.
> > 
> > Thanks
> > Harald
> > 
> > ---
> > Harald Pehl
> > JBoss by Red Hat
> > http://hpehl.info
> > 
> > 
> > 
> > 
> > _______________________________________________
> > wildfly-dev mailing list
> > wildfly-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/wildfly-dev
> 
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>