[
https://issues.apache.org/jira/browse/KNOX-571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15657503#comment-15657503
]
Jeffrey E Rodriguez commented on KNOX-571:
-------------------------------------------
Thanks Larry.
I agree with you and maybe we need a KIP page for this topic.
The "logout" responsibility should preferably be on the web application. I
think that if the application can delegate the authentication to Knox but keep
the management of its session that would be best approach.
For example, JAAS standard pluggable authentication can be used. A web
application would write its Knox LoginModule to
delegate Knox the task to authenticate.
1. Knox would be set as pass through.
2. Web application would authenticate using its "Knox Login Module".
3. Web Application would login and logout through its "Knox Login Module".
> UI Web pages should have a way to logout
> ----------------------------------------
>
> Key: KNOX-571
> URL: https://issues.apache.org/jira/browse/KNOX-571
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 0.7.0
> Environment: Redhat/Windows
> Reporter: Jeffrey E Rodriguez
> Fix For: Future
>
> Attachments: knox_logout_design.jpg
>
>
> UI using Knox as a proxy should have a way to define a logout so Browser to
> Knox session is invalidated and user is challenged for Authentication. This
> is a web security requirement to prevent session hijacking attacks.
> References
> https://www.owasp.org/index.php/Session_hijacking_attack
> https://owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-007%29
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
