Github user neykov commented on a diff in the pull request: https://github.com/apache/brooklyn-server/pull/288#discussion_r73880683 --- Diff: rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java --- @@ -37,32 +37,45 @@ @Context UriInfo uri; @Override + public Response redirectToLogout() { + URI dest = uri.getBaseUriBuilder().path(LogoutApi.class).build(); + + // Return response with Javascript which will make an asynchronous POST request to the logout method. + // (When calling logout it is important to use wrong username and password in order to make browser forget the old ones) + return Response.status(Status.OK) + .entity(String.format("<!DOCTYPE html>\n<body>\n" + + "<script>\n" + + "var a=new window.XMLHttpRequest;" + + "a.open('POST','%1$s',0,'user','wrong'+(new Date).getTime().toString());a.send(\"\");\n" + + "window.location.href='/';</script></body>", dest.toASCIIString())) + .build(); + } + + @Override public Response logout() { WebEntitlementContext ctx = (WebEntitlementContext) Entitlements.getEntitlementContext(); - URI dest = uri.getBaseUriBuilder().path(LogoutApi.class).path(LogoutApi.class, "logoutUser").build(ctx.user()); - // When execution gets here we don't know whether this is the first fetch of logout() or a subsequent one - // with a re-authenticated user. The only way to tell is compare if user names changed. So redirect to an URL - // which contains the user name. - return Response.status(Status.TEMPORARY_REDIRECT) + if (ctx != null && ctx.user() != null) { + doLogout(); + } + + URI dest = uri.getBaseUriBuilder().build(); + + return Response.status(Status.UNAUTHORIZED) + .header("WWW-Authenticate", "Basic realm=\"webconsole\"") + // For Status 403, HTTP Location header may be omitted. + // Location is best to be used for http status 302 https://tools.ietf.org/html/rfc2616#section-10.3.3 .header("Location", dest.toASCIIString()) + .entity("<script>window.location.replace(\"/\");</script>") --- End diff -- I think we should keep previous behaviour here and for `logoutUser`. Changes in https://github.com/apache/brooklyn-ui/pull/30 don't actually use the `lougout` call anyway - they rely on javascript to invalidate the authentication header. Why it's needed (for clients that use it): * a client posts to /logout * server returns 401 * browser displays an authentication dialog * browser retries request with new credentials (against /logout) * server return 401 (because that's all it does) * credentials appear to be invalid How current code fixes this: * a client posts to /logout * server redirects to /logout/username * server returns 401 * browser display an authentication dialog * browser retries request with new credentials (against /logout/username) * server returns 200 if new username doesn't match username in URL or 401 if it matches
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---