github-advanced-security[bot] commented on code in PR #1148:
URL: https://github.com/apache/syncope/pull/1148#discussion_r2240245950


##########
ext/oidcc4ui/client-common-ui/src/main/java/org/apache/syncope/client/ui/commons/resources/oidcc4ui/LogoutResource.java:
##########
@@ -18,19 +18,65 @@
  */
 package org.apache.syncope.client.ui.commons.resources.oidcc4ui;
 
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
+import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.io.Writer;
+import java.util.Optional;
+import org.apache.syncope.client.ui.commons.BaseSession;
+import org.apache.syncope.client.ui.commons.panels.OIDCC4UIConstants;
+import org.apache.syncope.common.rest.api.service.OIDCC4UIService;
 import org.apache.wicket.RestartResponseException;
+import org.apache.wicket.Session;
 import org.apache.wicket.markup.html.WebPage;
 import org.apache.wicket.request.mapper.parameter.PageParameters;
 import org.apache.wicket.request.resource.AbstractResource;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public abstract class LogoutResource extends AbstractResource {
 
     private static final long serialVersionUID = 273797583932923564L;
 
+    protected static final Logger LOG = 
LoggerFactory.getLogger(LogoutResource.class);
+
     protected abstract Class<? extends WebPage> getLogoutPageClass();
 
     @Override
     protected ResourceResponse newResourceResponse(final Attributes 
attributes) {
-        throw new RestartResponseException(getLogoutPageClass(), new 
PageParameters());
+        HttpServletRequest request = (HttpServletRequest) 
attributes.getRequest().getContainerRequest();
+
+        // if no logout token was found, complete RP-initated logout
+        // otherwise, proceed with back-channel logout for the provided token
+        String logoutToken = 
Optional.ofNullable(request.getParameter(OIDCC4UIConstants.PARAM_LOGOUT_TOKEN)).
+                orElseThrow(() -> new 
RestartResponseException(getLogoutPageClass(), new PageParameters()));
+
+        OIDCC4UIService service = 
BaseSession.class.cast(Session.get()).getAnonymousService(OIDCC4UIService.class);
+
+        ResourceResponse response = new ResourceResponse();
+        response.getHeaders().addHeader(HttpHeaders.CACHE_CONTROL, "no-cache, 
no-store");
+        response.getHeaders().addHeader("Pragma", "no-cache");
+        try {
+            service.backChannelLogout(logoutToken);
+
+            response.setStatusCode(Response.Status.OK.getStatusCode());
+        } catch (Exception e) {
+            LOG.error("While requesting back-channel logout for token {}", 
logoutToken, e);
+
+            
response.setStatusCode(Response.Status.BAD_REQUEST.getStatusCode());
+            response.setContentType(MediaType.APPLICATION_JSON);
+            response.setWriteCallback(new WriteCallback() {
+
+                @Override
+                public void writeData(final Attributes atrbts) throws 
IOException {
+                    Writer writer = new 
OutputStreamWriter(atrbts.getResponse().getOutputStream());

Review Comment:
   ## Potential output resource leak
   
   This OutputStreamWriter is not always closed on method exit.
   
   [Show more 
details](https://github.com/apache/syncope/security/code-scanning/2274)



##########
ext/oidcc4ui/client-common-ui/src/main/java/org/apache/syncope/client/ui/commons/resources/oidcc4ui/LogoutResource.java:
##########
@@ -18,19 +18,65 @@
  */
 package org.apache.syncope.client.ui.commons.resources.oidcc4ui;
 
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
+import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.io.Writer;
+import java.util.Optional;
+import org.apache.syncope.client.ui.commons.BaseSession;
+import org.apache.syncope.client.ui.commons.panels.OIDCC4UIConstants;
+import org.apache.syncope.common.rest.api.service.OIDCC4UIService;
 import org.apache.wicket.RestartResponseException;
+import org.apache.wicket.Session;
 import org.apache.wicket.markup.html.WebPage;
 import org.apache.wicket.request.mapper.parameter.PageParameters;
 import org.apache.wicket.request.resource.AbstractResource;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public abstract class LogoutResource extends AbstractResource {
 
     private static final long serialVersionUID = 273797583932923564L;
 
+    protected static final Logger LOG = 
LoggerFactory.getLogger(LogoutResource.class);
+
     protected abstract Class<? extends WebPage> getLogoutPageClass();
 
     @Override
     protected ResourceResponse newResourceResponse(final Attributes 
attributes) {
-        throw new RestartResponseException(getLogoutPageClass(), new 
PageParameters());
+        HttpServletRequest request = (HttpServletRequest) 
attributes.getRequest().getContainerRequest();
+
+        // if no logout token was found, complete RP-initated logout
+        // otherwise, proceed with back-channel logout for the provided token
+        String logoutToken = 
Optional.ofNullable(request.getParameter(OIDCC4UIConstants.PARAM_LOGOUT_TOKEN)).
+                orElseThrow(() -> new 
RestartResponseException(getLogoutPageClass(), new PageParameters()));
+
+        OIDCC4UIService service = 
BaseSession.class.cast(Session.get()).getAnonymousService(OIDCC4UIService.class);
+
+        ResourceResponse response = new ResourceResponse();
+        response.getHeaders().addHeader(HttpHeaders.CACHE_CONTROL, "no-cache, 
no-store");
+        response.getHeaders().addHeader("Pragma", "no-cache");
+        try {
+            service.backChannelLogout(logoutToken);
+
+            response.setStatusCode(Response.Status.OK.getStatusCode());
+        } catch (Exception e) {
+            LOG.error("While requesting back-channel logout for token {}", 
logoutToken, e);

Review Comment:
   ## Insertion of sensitive information into log files
   
   This [potentially sensitive information](1) is written to a log file.
   
   [Show more 
details](https://github.com/apache/syncope/security/code-scanning/2273)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@syncope.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to