tbouron commented on a change in pull request #1032: fix session sharing and
simplify logout
URL: https://github.com/apache/brooklyn-server/pull/1032#discussion_r252208591
##########
File path:
rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java
##########
@@ -75,19 +67,80 @@ public Response logoutUser(String user) {
// also the realm is removed (there might not be a realm;
in this code we don't know)
.build();
} else {
- return
Response.temporaryRedirect(uri.getAbsolutePathBuilder().replacePath("/").build()).build();
+ return
Response.temporaryRedirect(uri.getBaseUriBuilder().path(LogoutApi.class).path(LogoutApi.class,
"redirect").build()).
+ entity("User requested to log out does not match actual user
logged in").build();
+ }
+ }
+
+ @Override
+ public Response logout(String unauthorize, String requestedUser) {
+ MultiSessionAttributeAdapter session =
MultiSessionAttributeAdapter.of(req, false);
+ WebEntitlementContext ctx = (WebEntitlementContext)
Entitlements.getEntitlementContext();
+ String currentUser = ctx==null ? null : ctx.user();
+ log.debug("Logging out: {}, session id {} ({})"+", unauthorized={}",
currentUser, (session!=null ? session.getId()+" " : ""), session, unauthorize);
+
+ MutableMap<String,String> body = MutableMap.of();
+ body.addIfNotNull("currentUser", currentUser);
+ body.addIfNotNull("requestedUser", requestedUser);
+ body.addIfNotNull("sessionId", session==null ? null : session.getId());
+ body.addIfNotNull("requestedSessionId", req.getRequestedSessionId());
+
+ if (requestedUser!=null && !requestedUser.equals(currentUser)) {
+ return Response.status(Status.FORBIDDEN)
+ .entity(body.add("message", "The user requested to be logged
out is not the user currently logged in"))
+ .build();
}
+ doLogout();
+
+ if (unauthorize!=null) {
+ // returning 401 UNAUTHORIZED has the nice property that it causes
browser (mostly)
+ // to re-prompt for cached credentials to set in the
"Authorization: " header to re-login;
+ // TODO however it's not 100%;
+ // some repeated requests (eg /server/up/extended) in brooklyn
webapp seem to keep that header
+ return Response.status(Status.UNAUTHORIZED)
+ .entity(body.add("message", unauthorize))
+ .build();
+ }
+
+ return Response.status(Status.OK)
+ .entity(body.add("message", "Logged out user "+currentUser))
+ .build();
}
private void doLogout() {
+ MultiSessionAttributeAdapter multi =
MultiSessionAttributeAdapter.of(req);
+
+ // if we need to intercept session creation then can use this
+ // create TrackingSessionHandler which delegates (no-op if
delegate==null esp in setSessionTrackingMode)
+ // and log with stack trace in newHttpSession
+// HttpServletRequest jreq = req;
+// if (jreq instanceof ThreadLocalHttpServletRequest) jreq =
((ThreadLocalHttpServletRequest)jreq).get();
+// if (jreq instanceof ServletRequestWrapper) jreq =
(HttpServletRequest) ((ServletRequestWrapper)jreq).getRequest();
+// if (jreq instanceof Request) {
+// log.warn("SWAPPING "+MultiSessionAttributeAdapter.info(jreq));
+// ((Request)jreq).setSessionHandler(new
TrackingSessionHandler(((Request)jreq).getSessionHandler()));
+// } else {
+// log.warn("UNABLE to swap
request"+MultiSessionAttributeAdapter.info(jreq));
+// }
Review comment:
Can be removed
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
