Github user neykov commented on a diff in the pull request:
https://github.com/apache/brooklyn-server/pull/288#discussion_r73880683
--- Diff:
rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java
---
@@ -37,32 +37,45 @@
@Context UriInfo uri;
@Override
+ public Response redirectToLogout() {
+ URI dest = uri.getBaseUriBuilder().path(LogoutApi.class).build();
+
+ // Return response with Javascript which will make an asynchronous
POST request to the logout method.
+ // (When calling logout it is important to use wrong username and
password in order to make browser forget the old ones)
+ return Response.status(Status.OK)
+ .entity(String.format("<!DOCTYPE html>\n<body>\n" +
+ "<script>\n" +
+ "var a=new window.XMLHttpRequest;" +
+ "a.open('POST','%1$s',0,'user','wrong'+(new
Date).getTime().toString());a.send(\"\");\n" +
+ "window.location.href='/';</script></body>",
dest.toASCIIString()))
+ .build();
+ }
+
+ @Override
public Response logout() {
WebEntitlementContext ctx = (WebEntitlementContext)
Entitlements.getEntitlementContext();
- URI dest =
uri.getBaseUriBuilder().path(LogoutApi.class).path(LogoutApi.class,
"logoutUser").build(ctx.user());
- // When execution gets here we don't know whether this is the
first fetch of logout() or a subsequent one
- // with a re-authenticated user. The only way to tell is compare
if user names changed. So redirect to an URL
- // which contains the user name.
- return Response.status(Status.TEMPORARY_REDIRECT)
+ if (ctx != null && ctx.user() != null) {
+ doLogout();
+ }
+
+ URI dest = uri.getBaseUriBuilder().build();
+
+ return Response.status(Status.UNAUTHORIZED)
+ .header("WWW-Authenticate", "Basic realm=\"webconsole\"")
+ // For Status 403, HTTP Location header may be omitted.
+ // Location is best to be used for http status 302
https://tools.ietf.org/html/rfc2616#section-10.3.3
.header("Location", dest.toASCIIString())
+ .entity("<script>window.location.replace(\"/\");</script>")
--- End diff --
I think we should keep previous behaviour here and for `logoutUser`.
Changes in https://github.com/apache/brooklyn-ui/pull/30 don't actually use the
`lougout` call anyway - they rely on javascript to invalidate the
authentication header.
Why it's needed (for clients that use it):
* a client posts to /logout
* server returns 401
* browser displays an authentication dialog
* browser retries request with new credentials (against /logout)
* server return 401 (because that's all it does)
* credentials appear to be invalid
How current code fixes this:
* a client posts to /logout
* server redirects to /logout/username
* server returns 401
* browser display an authentication dialog
* browser retries request with new credentials (against /logout/username)
* server returns 200 if new username doesn't match username in URL or 401
if it matches
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
