Github user sjcorbett commented on a diff in the pull request:
https://github.com/apache/brooklyn-server/pull/288#discussion_r73668447
--- Diff:
rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java
---
@@ -37,32 +37,44 @@
@Context UriInfo uri;
@Override
+ public Response redirectToLogout() {
+ URI dest = uri.getBaseUriBuilder().path(LogoutApi.class).build();
+
+ return Response.status(Status.OK)
+ .entity(String.format("<!DOCTYPE html>\n<body>\n" +
+ "<script>\n" +
+ "(function(c){var a=new window.XMLHttpRequest;" +
+ //
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/open
+ "a.open('POST','%1$s',0,'user',(new
Date).getTime().toString());a.send(\"\");})();\n" +
+ "window.location.href='/';</script></body>",
dest.toASCIIString()))
+ .build();
+ }
+
+ @Override
public Response logout() {
WebEntitlementContext ctx = (WebEntitlementContext)
Entitlements.getEntitlementContext();
- URI dest =
uri.getBaseUriBuilder().path(LogoutApi.class).path(LogoutApi.class,
"logoutUser").build(ctx.user());
- // When execution gets here we don't know whether this is the
first fetch of logout() or a subsequent one
- // with a re-authenticated user. The only way to tell is compare
if user names changed. So redirect to an URL
- // which contains the user name.
- return Response.status(Status.TEMPORARY_REDIRECT)
+ if (ctx != null && ctx.user() != null) {
+ doLogout();
+ }
+
+ URI dest = uri.getBaseUriBuilder().build();
+
+ return Response.status(Status.UNAUTHORIZED)
+ .header("WWW-Authenticate", "Basic realm=\"webconsole\"")
+ // For Status 403, HTTP Location header may be omitted.
+ // Location is best to be used for http status 302
https://tools.ietf.org/html/rfc2616#section-10.3.3
.header("Location", dest.toASCIIString())
+ .entity("<script>window.location.replace(\"/\");</script>")
.build();
}
@Override
+ @Deprecated
public Response logoutUser(String user) {
- // Will work when switching users, but will keep re-authenticating
if user types in same user name.
- // Could improve by keeping state in cookies to decide whether to
request auth or declare successfull re-auth.
- WebEntitlementContext ctx = (WebEntitlementContext)
Entitlements.getEntitlementContext();
- if (user.equals(ctx.user())) {
- doLogout();
-
- return Response.status(Status.UNAUTHORIZED)
- .header("WWW-Authenticate", "Basic
realm=\"webconsole\"")
- .build();
- } else {
- return
Response.temporaryRedirect(uri.getAbsolutePathBuilder().replacePath("/").build()).build();
- }
+ return Response.status(Status.FOUND)
+ .header("Location",
uri.getBaseUriBuilder().path(LogoutApi.class).path(LogoutApi.class,
"logout").build())
--- End diff --
Are both calls of `path` required?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
