JENKINS-52306 Improve SSO logout, continuous fix for JENKINS-11507 #25
Conversation
|
@gmshake I know it was long time ago, but could you check if this working with latest master changes? |
|
I'm glad to, but no bandwidths until next week. |
|
No problem :) |
|
@gmshake Thanks 😄 |
|
No, it is not tested extensively yet. I'll report back later. |
|
@gmshake Are you still interested in merging this PR? |
| } else { // Auto login failed. | ||
| if (LOG.isLoggable(Level.FINE)) { | ||
| LOG.fine("User failed to log in"); | ||
| } | ||
| HttpSession session = req.getSession(false); | ||
| if (session != null) { | ||
| session.invalidate(); | ||
| } | ||
| SecurityContextHolder.clearContext(); |
There was a problem hiding this comment.
the only thing i'm missing here is cache clearing
If you invalidate user it still have records in cache which together with token caching can bypass sso
There was a problem hiding this comment.
the only thing i'm missing here is cache clearing
I'm getting you here about the cache clearing.
Do you mean the crowd2-plugin caches tokens somewhere else other than in the session?
If you invalidate user it still have records in cache which together with token caching can bypass sso
Can you please elaborate this?
There was a problem hiding this comment.
Do you mean the crowd2-plugin caches tokens somewhere else other than in the session?
I think user should be removed from this cache in case of session termination.
Can you please elaborate this?
This will do the job
https://www.youtube.com/watch?v=LMgpuVKslw8
Until the problem is fixed, or nobody complains about the problem ;) |
|
I will takeover this. |
|
@akouznetchik could you help us with testing this? |
|
@akouznetchik any updates? |
Will take a look this weekend |
Thanks man :) |
|
Development of this plugin is stopped. |
Issue link JENKINS-52306