From 6b18e3a0032e7bd5248258d0ce3be23fe726bd94 Mon Sep 17 00:00:00 2001 From: David Ostrovsky Date: Sun, 12 Apr 2015 09:29:16 +0200 Subject: [PATCH] Invalidate OAuth session after web_sessions cache expiration When web_sessions cache is expired, OAuth session preserves it logged in state. This makes new sign-in impossible. Rectify it by checking the states mismatch and invalidating OAuth session when web_sessions cache was expired. GitHub-Bug: https://github.com/davido/gerrit-oauth-provider/issues/5 Change-Id: I3d57193c5af29561fd1fac0804dd19c08a0e9dbe --- .../com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java b/gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java index 7f93437fbe..48963a6e51 100644 --- a/gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java +++ b/gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java @@ -89,18 +89,22 @@ class OAuthWebFilter implements Filter { FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) request; HttpSession httpSession = ((HttpServletRequest) request).getSession(false); + OAuthSession oauthSession = oauthSessionProvider.get(); if (currentUserProvider.get().isIdentifiedUser()) { if (httpSession != null) { httpSession.invalidate(); } chain.doFilter(request, response); return; + } else { + if (oauthSession.isLoggedIn()) { + oauthSession.logout(); + } } HttpServletResponse httpResponse = (HttpServletResponse) response; String provider = httpRequest.getParameter("provider"); - OAuthSession oauthSession = oauthSessionProvider.get(); OAuthServiceProvider service = ssoProvider == null ? oauthSession.getServiceProvider() : ssoProvider;