[Logo] Enterprise Client Community
  [Search] Search   [Recent Topics] Recent Topics   [Members]  Member Listing   [Groups] Back to home page 
[Register] Register /  [Login] Login 
Redirect to other page for logout + invalidate session  XML
Forum Index -> Development
Author Message
[Post New]10/03/2023 13:08:49
    Subject: Redirect to other page for logout + invalidate session
[Up]
CaptainCasa

Power User
[Avatar]

Joined: 21/11/2007 12:23:06
Messages: 5519
Offline
(...from mail request that is responded through the forum)

We are currently rebuilding our SAML implementation. We just want to install the SAML logout and encounter a "flow problem".

To log out of the SAML identity provider, we use spring with the endpoint /logout in our own context. Spring then makes a call to the identity provider. That would be ok or fits.

We called this logout via a clientredirecturl component on the workplace.jsp (this is the layer below our outermost JSP). The code with the trigger for the component looks like this

Code:
 if (ssoActive) 
 {
        ssoLogoutRedirectTrigger.trigger();
 }
 HttpSessionAccess.getCurrentDialogSession().invalidate();



The trigger doesn't trigger and I suspect because of the invalidate. The invalidate leads to a reload of the client and ignores other triggers/actions in this round trip!?

That's why our logout doesn't work.

What it would take would be to invalidate the http session and redirect to our logout URL.

For example: HttpSessionAccess.getCurrentDialogSession().invalidate("/logout");

Understandable?

Is there any way we can do this with existing resources? Do we have to somehow pack this into two round trips. Or how can I throw out an http session without the client wanting to reload immediately?
Björn Müller, CaptainCasa GmbH
[Post New]10/03/2023 13:32:28
    Subject: Re:Redirect to other page for logout + invalidate session
[Up]
CaptainCasa

Power User
[Avatar]

Joined: 21/11/2007 12:23:06
Messages: 5519
Offline
Hi,

what's about the following:

Code:
     public void onButtonAction(javax.faces.event.ActionEvent event) 
     {
         m_trigger.trigger();
         final HttpSession sessionToBeClosed = HttpSessionAccess.getCurrentHttpSession();
         HttpSessionAccess.getCurrentDialogSession().addListener(new ISessionAbstractionListener()
         {
             @Override
             public void reactOnClosed()
             {
                 try
                 {
                     sessionToBeClosed.invalidate();
                 }
                 catch (Throwable t)
                 {
                     t.printStackTrace();
                 }
             }
         });
     }


You send the redirect in a valid session. Due to the re-direct the client will notify the server that the current dialog session (the one that belongs to your browser-tab) is closed. In the closing of the dialog session you embed the code to close the http-session

(I assume you work with session-tracking "COOKIE", so there is a http session spanning one or more browser tabs, and there is one dialog session per browser tab. - Of course invalidating the http session will also affect other browser tabs that are started in parallel to the one that you start the invalidation from.

Kind regards! Björn
Björn Müller, CaptainCasa GmbH
 
Forum Index -> Development
Go to:   
Powered by JForum 2.1.6 © JForum Team