[jira] [Commented] (KNOX-571) UI Web pages should have a way to logout

Wed, 22 Jul 2015 12:24:01 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14637479#comment-14637479
 ] 

Jeffrey E  Rodriguez commented on KNOX-571:
-------------------------------------------

Thanks Kevin and Tanping for reviewing this proposal.

The logout button belongs to the UI, so the href belongs to the web application 
service code, but It makes  sense for the component that does the login to do 
the logout.

What  I am proposing is a mechanism by which we can logout the session 
established between Knox and the browser. 
 
This mechanism is a filter added as a contributor "session-logout" so developer 
implementing Web Interface through Knox can make use of it to invalidate the 
session.
A web interface wanting to enable Knox can set  logout rules  such as the 
following pattern: pattern="*://*:*/**/myapp/logout", and 
add a UI  href in the web app code href="/logout" which will resolve to  Knox 
scheme://hostname:port/gateway/deployment/app/logout, in the outbound body 
rewrite.
so the body rewrite rewrites /logout ->{$serviceUrl[MYAPP]}/logout.
The filter will check for /logout patten and will call Shiro API's to 
invalidate logout and the filter will return a response with challenge header.

Regards,
                        Jeff

Regards,
                    Jeff










> UI Web pages should have a way to logout
> ----------------------------------------
>
>                 Key: KNOX-571
>                 URL: https://issues.apache.org/jira/browse/KNOX-571
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 0.7.0
>         Environment: Redhat/Windows
>            Reporter: Jeffrey E  Rodriguez
>             Fix For: 0.7.0
>
>         Attachments: knox_logout_design.jpg
>
>
> UI using Knox as a proxy should have  a way to define a logout so Browser to 
> Knox session is invalidated and user is challenged for Authentication. This 
> is a web security requirement to prevent session hijacking attacks.
> References
> https://www.owasp.org/index.php/Session_hijacking_attack
> https://owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-007%29



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to