Author: aogburn Date: 2013-05-31 08:54:47 -0400 (Fri, 31 May 2013) New Revision: 2207 Modified: branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/AuthenticatorBase.java branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/SingleSignOn.java Log: [BZ-967978] commit one-off changes to avoid session invalidation on sso logout Modified: branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/AuthenticatorBase.java =================================================================== --- branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2013-05-30 21:40:00 UTC (rev 2206) +++ branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2013-05-31 12:54:47 UTC (rev 2207) @@ -115,6 +115,14 @@ /** + * Should the session ID, if any, be changed upon a successful + * authentication to prevent a session fixation attack? + */ + protected boolean unregisterSsoOnLogout = + Boolean.valueOf(System.getProperty("org.apache.catalina.authenticator.AuthenticatorBase.UNREGISTER_SSO_ON_LOGOUT", "true")).booleanValue(); + + + /** * The Context to which this Valve is attached. */ protected Context context = null; @@ -208,6 +216,16 @@ } + public boolean isUnregisterSsoOnLogout() { + return unregisterSsoOnLogout; + } + + + public void setUnregisterSsoOnLogout(boolean unregisterSsoOnLogout) { + this.unregisterSsoOnLogout = unregisterSsoOnLogout; + } + + /** * Return the Container to which this Valve is attached. */ @@ -717,8 +735,14 @@ String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); if (ssoId != null) { // Update the SSO session with the latest authentication data - request.removeNote(Constants.REQ_SSOID_NOTE); - sso.deregister(ssoId); + if (unregisterSsoOnLogout) { + request.removeNote(Constants.REQ_SSOID_NOTE); + sso.deregister(ssoId); + } else { + if (cache && session != null) { + sso.removeLogin(ssoId); + } + } } } Modified: branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/SingleSignOn.java =================================================================== --- branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/SingleSignOn.java 2013-05-30 21:40:00 UTC (rev 2206) +++ branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/SingleSignOn.java 2013-05-31 12:54:47 UTC (rev 2207) @@ -524,6 +524,34 @@ /** + * Logout the specified single sign on identifier from all sessions. + * + * @param ssoId Single sign on identifier to logout + */ + public void removeLogin(String ssoId) { + + // Look up and remove the corresponding SingleSignOnEntry + SingleSignOnEntry sso = null; + synchronized (cache) { + sso = cache.get(ssoId); + } + + if (sso == null) + return; + + // Remove all authentication information from all associated sessions + Session sessions[] = sso.findSessions(); + for (Session session : sessions) { + session.setAuthType(null); + session.setPrincipal(null); + session.removeNote(Constants.SESS_USERNAME_NOTE); + session.removeNote(Constants.SESS_PASSWORD_NOTE); + } + + } + + + /** * Attempts reauthentication to the given <code>Realm</code> using * the credentials associated with the single sign-on session * identified by argument <code>ssoId</code>.