diff options
author | David Ostrovsky <david@ostrovsky.org> | 2015-04-12 09:29:16 +0200 |
---|---|---|
committer | David Ostrovsky <david@ostrovsky.org> | 2015-04-12 10:43:25 +0200 |
commit | 6b18e3a0032e7bd5248258d0ce3be23fe726bd94 (patch) | |
tree | 5eedc5b240f669ff08a2a54023edea1f84725ea2 | |
parent | 5fa42e8d93d65c1358d34b9a1b84004d34eaa92c (diff) |
Invalidate OAuth session after web_sessions cache expiration
When web_sessions cache is expired, OAuth session preserves it
logged in state. This makes new sign-in impossible.
Rectify it by checking the states mismatch and invalidating OAuth
session when web_sessions cache was expired.
GitHub-Bug: https://github.com/davido/gerrit-oauth-provider/issues/5
Change-Id: I3d57193c5af29561fd1fac0804dd19c08a0e9dbe
-rw-r--r-- | gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java b/gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java index 7f93437fbe..48963a6e51 100644 --- a/gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java +++ b/gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java @@ -89,18 +89,22 @@ class OAuthWebFilter implements Filter { FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) request; HttpSession httpSession = ((HttpServletRequest) request).getSession(false); + OAuthSession oauthSession = oauthSessionProvider.get(); if (currentUserProvider.get().isIdentifiedUser()) { if (httpSession != null) { httpSession.invalidate(); } chain.doFilter(request, response); return; + } else { + if (oauthSession.isLoggedIn()) { + oauthSession.logout(); + } } HttpServletResponse httpResponse = (HttpServletResponse) response; String provider = httpRequest.getParameter("provider"); - OAuthSession oauthSession = oauthSessionProvider.get(); OAuthServiceProvider service = ssoProvider == null ? oauthSession.getServiceProvider() : ssoProvider; |