github-advanced-security[bot] commented on code in PR #1148: URL: https://github.com/apache/syncope/pull/1148#discussion_r2240245950
########## ext/oidcc4ui/client-common-ui/src/main/java/org/apache/syncope/client/ui/commons/resources/oidcc4ui/LogoutResource.java: ########## @@ -18,19 +18,65 @@ */ package org.apache.syncope.client.ui.commons.resources.oidcc4ui; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.ws.rs.core.HttpHeaders; +import jakarta.ws.rs.core.MediaType; +import jakarta.ws.rs.core.Response; +import java.io.IOException; +import java.io.OutputStreamWriter; +import java.io.Writer; +import java.util.Optional; +import org.apache.syncope.client.ui.commons.BaseSession; +import org.apache.syncope.client.ui.commons.panels.OIDCC4UIConstants; +import org.apache.syncope.common.rest.api.service.OIDCC4UIService; import org.apache.wicket.RestartResponseException; +import org.apache.wicket.Session; import org.apache.wicket.markup.html.WebPage; import org.apache.wicket.request.mapper.parameter.PageParameters; import org.apache.wicket.request.resource.AbstractResource; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public abstract class LogoutResource extends AbstractResource { private static final long serialVersionUID = 273797583932923564L; + protected static final Logger LOG = LoggerFactory.getLogger(LogoutResource.class); + protected abstract Class<? extends WebPage> getLogoutPageClass(); @Override protected ResourceResponse newResourceResponse(final Attributes attributes) { - throw new RestartResponseException(getLogoutPageClass(), new PageParameters()); + HttpServletRequest request = (HttpServletRequest) attributes.getRequest().getContainerRequest(); + + // if no logout token was found, complete RP-initated logout + // otherwise, proceed with back-channel logout for the provided token + String logoutToken = Optional.ofNullable(request.getParameter(OIDCC4UIConstants.PARAM_LOGOUT_TOKEN)). + orElseThrow(() -> new RestartResponseException(getLogoutPageClass(), new PageParameters())); + + OIDCC4UIService service = BaseSession.class.cast(Session.get()).getAnonymousService(OIDCC4UIService.class); + + ResourceResponse response = new ResourceResponse(); + response.getHeaders().addHeader(HttpHeaders.CACHE_CONTROL, "no-cache, no-store"); + response.getHeaders().addHeader("Pragma", "no-cache"); + try { + service.backChannelLogout(logoutToken); + + response.setStatusCode(Response.Status.OK.getStatusCode()); + } catch (Exception e) { + LOG.error("While requesting back-channel logout for token {}", logoutToken, e); + + response.setStatusCode(Response.Status.BAD_REQUEST.getStatusCode()); + response.setContentType(MediaType.APPLICATION_JSON); + response.setWriteCallback(new WriteCallback() { + + @Override + public void writeData(final Attributes atrbts) throws IOException { + Writer writer = new OutputStreamWriter(atrbts.getResponse().getOutputStream()); Review Comment: ## Potential output resource leak This OutputStreamWriter is not always closed on method exit. [Show more details](https://github.com/apache/syncope/security/code-scanning/2274) ########## ext/oidcc4ui/client-common-ui/src/main/java/org/apache/syncope/client/ui/commons/resources/oidcc4ui/LogoutResource.java: ########## @@ -18,19 +18,65 @@ */ package org.apache.syncope.client.ui.commons.resources.oidcc4ui; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.ws.rs.core.HttpHeaders; +import jakarta.ws.rs.core.MediaType; +import jakarta.ws.rs.core.Response; +import java.io.IOException; +import java.io.OutputStreamWriter; +import java.io.Writer; +import java.util.Optional; +import org.apache.syncope.client.ui.commons.BaseSession; +import org.apache.syncope.client.ui.commons.panels.OIDCC4UIConstants; +import org.apache.syncope.common.rest.api.service.OIDCC4UIService; import org.apache.wicket.RestartResponseException; +import org.apache.wicket.Session; import org.apache.wicket.markup.html.WebPage; import org.apache.wicket.request.mapper.parameter.PageParameters; import org.apache.wicket.request.resource.AbstractResource; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public abstract class LogoutResource extends AbstractResource { private static final long serialVersionUID = 273797583932923564L; + protected static final Logger LOG = LoggerFactory.getLogger(LogoutResource.class); + protected abstract Class<? extends WebPage> getLogoutPageClass(); @Override protected ResourceResponse newResourceResponse(final Attributes attributes) { - throw new RestartResponseException(getLogoutPageClass(), new PageParameters()); + HttpServletRequest request = (HttpServletRequest) attributes.getRequest().getContainerRequest(); + + // if no logout token was found, complete RP-initated logout + // otherwise, proceed with back-channel logout for the provided token + String logoutToken = Optional.ofNullable(request.getParameter(OIDCC4UIConstants.PARAM_LOGOUT_TOKEN)). + orElseThrow(() -> new RestartResponseException(getLogoutPageClass(), new PageParameters())); + + OIDCC4UIService service = BaseSession.class.cast(Session.get()).getAnonymousService(OIDCC4UIService.class); + + ResourceResponse response = new ResourceResponse(); + response.getHeaders().addHeader(HttpHeaders.CACHE_CONTROL, "no-cache, no-store"); + response.getHeaders().addHeader("Pragma", "no-cache"); + try { + service.backChannelLogout(logoutToken); + + response.setStatusCode(Response.Status.OK.getStatusCode()); + } catch (Exception e) { + LOG.error("While requesting back-channel logout for token {}", logoutToken, e); Review Comment: ## Insertion of sensitive information into log files This [potentially sensitive information](1) is written to a log file. [Show more details](https://github.com/apache/syncope/security/code-scanning/2273) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@syncope.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org