I went back and took another look at this and turned on trace logging
and figured out the InvalidRequestFilter is tripping, specifically on a
semicolon in the URL. That filter was added in 1.6.0 hence that's the
first version we see the issue.
So now the part I'm not sure about is how/why the URL is being modified
after logout. If I click the login button the URL in the browser is:
https://localhost:8443/app/login.xhtml;jsessionid=<snip> and, as
advertised by the IRF, I get a 400 response code.
The logout process is done through a servlet with the following
implementation:
protected void processRequest(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
SecurityUtils.getSubject().logout();
request.getSession().invalidate();
response.sendRedirect(request.getServletContext().getContextPath());
}
And it is on the index page that things start to break. There's a
single image that doesn't load due to the request url having the
jssessionid appended and that gets a 400 response and if I click the
"Log In" button and it goes to that url (with the appended jsessionid),
I get the main error that results in a blank page with just "Invalid
request".
So am I doing something wrong in my logout logic or is this a Shiro issue?
Thanks!
On 12/17/2020 9:55 AM, Francois Papon wrote:
Ok thanks, we will take a look.
regards,
François
fpa...@apache.org