[
https://issues.apache.org/jira/browse/BROOKLYN-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15409252#comment-15409252
]
ASF GitHub Bot commented on BROOKLYN-323:
-----------------------------------------
Github user sjcorbett commented on a diff in the pull request:
https://github.com/apache/brooklyn-server/pull/288#discussion_r73668447
--- Diff:
rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java
---
@@ -37,32 +37,44 @@
@Context UriInfo uri;
@Override
+ public Response redirectToLogout() {
+ URI dest = uri.getBaseUriBuilder().path(LogoutApi.class).build();
+
+ return Response.status(Status.OK)
+ .entity(String.format("<!DOCTYPE html>\n<body>\n" +
+ "<script>\n" +
+ "(function(c){var a=new window.XMLHttpRequest;" +
+ //
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/open
+ "a.open('POST','%1$s',0,'user',(new
Date).getTime().toString());a.send(\"\");})();\n" +
+ "window.location.href='/';</script></body>",
dest.toASCIIString()))
+ .build();
+ }
+
+ @Override
public Response logout() {
WebEntitlementContext ctx = (WebEntitlementContext)
Entitlements.getEntitlementContext();
- URI dest =
uri.getBaseUriBuilder().path(LogoutApi.class).path(LogoutApi.class,
"logoutUser").build(ctx.user());
- // When execution gets here we don't know whether this is the
first fetch of logout() or a subsequent one
- // with a re-authenticated user. The only way to tell is compare
if user names changed. So redirect to an URL
- // which contains the user name.
- return Response.status(Status.TEMPORARY_REDIRECT)
+ if (ctx != null && ctx.user() != null) {
+ doLogout();
+ }
+
+ URI dest = uri.getBaseUriBuilder().build();
+
+ return Response.status(Status.UNAUTHORIZED)
+ .header("WWW-Authenticate", "Basic realm=\"webconsole\"")
+ // For Status 403, HTTP Location header may be omitted.
+ // Location is best to be used for http status 302
https://tools.ietf.org/html/rfc2616#section-10.3.3
.header("Location", dest.toASCIIString())
+ .entity("<script>window.location.replace(\"/\");</script>")
.build();
}
@Override
+ @Deprecated
public Response logoutUser(String user) {
- // Will work when switching users, but will keep re-authenticating
if user types in same user name.
- // Could improve by keeping state in cookies to decide whether to
request auth or declare successfull re-auth.
- WebEntitlementContext ctx = (WebEntitlementContext)
Entitlements.getEntitlementContext();
- if (user.equals(ctx.user())) {
- doLogout();
-
- return Response.status(Status.UNAUTHORIZED)
- .header("WWW-Authenticate", "Basic
realm=\"webconsole\"")
- .build();
- } else {
- return
Response.temporaryRedirect(uri.getAbsolutePathBuilder().replacePath("/").build()).build();
- }
+ return Response.status(Status.FOUND)
+ .header("Location",
uri.getBaseUriBuilder().path(LogoutApi.class).path(LogoutApi.class,
"logout").build())
--- End diff --
Are both calls of `path` required?
> Inconsistent logout behavior for Basic Authentication
> -----------------------------------------------------
>
> Key: BROOKLYN-323
> URL: https://issues.apache.org/jira/browse/BROOKLYN-323
> Project: Brooklyn
> Issue Type: Bug
> Affects Versions: 0.9.0, 0.10.0, 0.9.1
> Environment: Firefox, Internet Explorer, Google Chrome
> Reporter: Valentin Aitken
> Fix For: 0.10.0
>
>
> Observed behavior:
> When clicking logout browser asks for a password.
> When entering a password browser asks you sequentially to enter username and
> password.
> How logout should be implemented for Basic Authentication:
> http://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication
> My explanation for behavior with the current code:
> First to clear out how brooklyn-ui is working and what it does.
> It polls infinitely the brooklyn api to retrieve status for the applications
> which are on the dashboard.
> To do that each request has to be authenticated.
> Logout:
> When user click logout, UI fires an ajax call to get a a proper Unauthorized
> response.
> Current response for the logout request contains Unauthorized response which
> should invalidate credentials.
> For Google Chrome it does invalidate the request credentials but it does not
> reload the DOM (or the webpage)
> When user try to type username and password to login back again, it is
> followed by another username and password prompt.
> My explanation for this is that login actually appeared from one of the
> application status calls rather than the index page and credentials are not
> populated through the DOM.
> Because of this credentials have to be typed for every single request and UI
> is making status calls infinitely so in other words user have to enter
> username and password infinitely.
> However for Internet Explorer it behaves differently.
> It just unauthenticate the one Ajax request and from there nothing happens.
> Deletion of the session within Internet Explorer doesn't happen and browser
> stays authenticated.
> My idea for solving those problems is to do a full reload of the web page
> after deauthenticating.
> so Brooklyn can have only one javascript authentication cycle.
> I will provide a solution which does that in one simple step.
> Calling the /logout API call which returns Unauthorized response and redirect
> to the home page.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
