(tomee) branch tomee-10.x updated: TOMEE-4596 - OpenIdAuthenticationMechanism invalidate session after redirect uri has been built

[jungm]

This is an automated email from the ASF dual-hosted git repository.

jungm pushed a commit to branch tomee-10.x
in repository https://gitbox.apache.org/repos/asf/tomee.git


The following commit(s) were added to refs/heads/tomee-10.x by this push:
     new df391ad521 TOMEE-4596 - OpenIdAuthenticationMechanism invalidate 
session after redirect uri has been built
df391ad521 is described below

commit df391ad521817b734eec6c1b2986004d3679aad6
Author: Markus Jung <ju...@apache.org>
AuthorDate: Mon Mar 23 08:03:21 2026 +0100

    TOMEE-4596 - OpenIdAuthenticationMechanism invalidate session after 
redirect uri has been built
---
 .../cdi/OpenIdAuthenticationMechanism.java         | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git 
a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.java
 
b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.java
index 8c1ae5b548..230194cb44 100644
--- 
a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.java
+++ 
b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.java
@@ -76,11 +76,24 @@ public class OpenIdAuthenticationMechanism implements 
HttpAuthenticationMechanis
 
     @Override
     public void cleanSubject(HttpServletRequest request, HttpServletResponse 
response, HttpMessageContext httpMessageContext) {
+        String redirectTarget = buildRedirectUri();
+
         HttpSession session = request.getSession(false);
         if (session != null) {
             session.invalidate();
         }
 
+        if (redirectTarget != null) {
+            httpMessageContext.redirect(redirectTarget);
+            return;
+        }
+
+        // Restart authorization by redirecting to openid provider
+        redirectToAuthorization(request, response, httpMessageContext);
+    }
+
+    private String buildRedirectUri()
+    {
         if (definition.logout().notifyProvider()) {
             if (!definition.providerMetadata().endSessionEndpoint().isEmpty()) 
{
                 UriBuilder endSession = 
UriBuilder.fromUri(definition.providerMetadata().endSessionEndpoint())
@@ -90,18 +103,15 @@ public class OpenIdAuthenticationMechanism implements 
HttpAuthenticationMechanis
                     
endSession.queryParam(OpenIdConstant.POST_LOGOUT_REDIRECT_URI, 
definition.logout().redirectURI());
                 }
 
-                httpMessageContext.redirect(endSession.build().toString());
-                return;
+                return endSession.build().toString();
             }
         } else {
             if (!definition.logout().redirectURI().isEmpty()) {
-                httpMessageContext.redirect(definition.logout().redirectURI());
-                return;
+                return definition.logout().redirectURI();
             }
         }
 
-        // Restart authorization by redirecting to openid provider
-        redirectToAuthorization(request, response, httpMessageContext);
+        return null;
     }
 
     @Override