Skip to content
This repository has been archived by the owner on Dec 10, 2023. It is now read-only.

JENKINS-52306 Improve SSO logout, continuous fix for JENKINS-11507 #25

Closed
wants to merge 1 commit into from
Closed

JENKINS-52306 Improve SSO logout, continuous fix for JENKINS-11507 #25

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions src/main/java/de/theit/jenkins/crowd/CrowdServletFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,15 @@ public void doFilter(ServletRequest request, ServletResponse response,
if (null != auth) {
LOG.log(Level.FINE, "User successfully logged in");
sc.setAuthentication(auth);
} else { // Auto login failed.
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("User failed to log in");
}
HttpSession session = req.getSession(false);
if (session != null) {
session.invalidate();
}
SecurityContextHolder.clearContext();
Comment on lines +181 to +189
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the only thing i'm missing here is cache clearing
If you invalidate user it still have records in cache which together with token caching can bypass sso

Copy link
Contributor Author

@gmshake gmshake Oct 26, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the only thing i'm missing here is cache clearing

I'm getting you here about the cache clearing.
Do you mean the crowd2-plugin caches tokens somewhere else other than in the session?

If you invalidate user it still have records in cache which together with token caching can bypass sso

Can you please elaborate this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean the crowd2-plugin caches tokens somewhere else other than in the session?

crowd2-plugin/src/main/java/de/theit/jenkins/crowd/CrowdConfigurationService.java

Line 149 in 8f647b8

private CacheMap<String, User> userFromSSOTokenCache = null;

I think user should be removed from this cache in case of session termination.

Can you please elaborate this?

This will do the job
https://www.youtube.com/watch?v=LMgpuVKslw8

}
}
}
Expand Down