[Dev] Not invalidating authenticated session in SSO of 4.2.2 version

Manjula Rathnayake Thu, 12 Feb 2015 21:14:35 -0800

Hi all,

In AF we have faced below issue when login into the AF using multiple
tenants.
ERROR {org.wso2.carbon.context.internal.CarbonContextDataHolder} -  Trying
to set the domain from 2 to 4
{org.wso2.carbon.context.internal.CarbonContextDataHolder}
java.lang.IllegalStateException: Trying to set the domain from 2 to 4
at
org.wso2.carbon.context.internal.CarbonContextDataHolder.setTenantId(CarbonContextDataHolder.java:1587)
at
org.wso2.carbon.context.PrivilegedCarbonContext.setTenantId(PrivilegedCarbonContext.java:208)
at
org.wso2.carbon.context.PrivilegedCarbonContext.setTenantId(PrivilegedCarbonContext.java:197)
at
org.wso2.carbon.core.multitenancy.utils.TenantAxisUtils.createTenantConfigurationContext(TenantAxisUtils.java:284)


After analyzing the code, it was identified that SSO component does not
invalidate the session when log out request is processed in IDP side.

Patching org.wso2.carbon.identity.sso.saml/4.2.2 solved this issue.

---
src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
(revision
206134)
+++
src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java
(working
copy)
@@ -271,6 +271,9 @@
             // sending LogoutResponse back to the initiator
             sendResponse(req, resp, relayState,
signInRespDTO.getLogoutResponse(),
                     signInRespDTO.getAssertionConsumerURL(),
signInRespDTO.getSubject());
+            if (req.getSession() != null) {
+                req.getSession().invalidate();
+            }

         }
     }

Please let us know any concerns on this fix.

thank you.

-- 
Manjula Rathnayaka
Software Engineer
WSO2, Inc.
Mobile:+94 77 743 1987

_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Not invalidating authenticated session in SSO of 4.2.2 version

Reply via email to