[jboss-jira] [JBoss JIRA] (WFLY-5484) Calling HttpServletRequest.logout() with single sign-on enabled only works every second time
Paul Ferraro (JIRA)
issues at jboss.org
Tue Jan 5 11:44:00 EST 2016
[ https://issues.jboss.org/browse/WFLY-5484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13145121#comment-13145121 ]
Paul Ferraro commented on WFLY-5484:
------------------------------------
[~rjanik] I've looked at the reproducer, but I fail to see where ?logout=true is handled anywhere in the requested servlet. (I'm assuming this uses this application: https://github.com/clusterbench/clusterbench/blob/master/clusterbench-common/src/main/java/org/jboss/test/clusterbench/common/session/CommonHttpSessionServlet.java)
As far as I can tell, the only request parameters being handled are:
* readonly (for read-only requests)
* invalidate (for session invalidation)
I see no code that performs a HttpServletRequest.logout(). If I am mistaken, please post the source.
> Calling HttpServletRequest.logout() with single sign-on enabled only works every second time
> --------------------------------------------------------------------------------------------
>
> Key: WFLY-5484
> URL: https://issues.jboss.org/browse/WFLY-5484
> Project: WildFly
> Issue Type: Bug
> Components: Clustering, Web (Undertow)
> Reporter: Richard Janík
> Assignee: Paul Ferraro
> Priority: Blocker
> Fix For: 10.0.0.CR5
>
> Attachments: reproducer-jbeap-1282.zip
>
>
> See "Steps to Reproduce". Logging out from an application only works every second time, e.g. HttpRequestServlet.logout() has to be called twice in order to have any effect
> This doesn't occur without <single-sign-on/> enabled - logout() has the expected effect. The issue is security related, thus I'm adding our security team members as watchers.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list