Skip to content
Browse files

[cfid-319] add favicon.ico to list of unprotected resources

This fixes the logout issue seen in [#39660921], where a user could access dashboard
even after logging out (both locally AND with login server).

Change-Id: I87e7d50ed00a7196e3e6cb6a2d31c31b3e93850d
  • Loading branch information...
1 parent c5e4626 commit d7c8acf9bdf1c1ab69aaa15460b8c132dcd2703e @vedyval vedyval committed
View
2 dashboard/src/main/resources/application.properties
@@ -2,7 +2,7 @@
# Copyright (c) 2011 VMware, Inc.
#
-uaa.url = http://localhost:8081/uaa
+uaa.logout.url = http://localhost:8081/uaa/logout.do
uaa.accessToken.url = http://localhost:8081/uaa/oauth/token
uaa.userAuthorize.url = http://localhost:8081/uaa/oauth/authorize
uaa.checkToken.url = http://localhost:8081/uaa/check_token
View
3 dashboard/src/main/webapp/WEB-INF/security.xml
@@ -24,7 +24,7 @@
<bean id="logoutSuccessHandler" class="com.cloudfoundry.dashboard.authentication.ForwardingLogoutHandler">
<property name="logoutPageAttributes">
<map key-type="java.lang.String" value-type="java.lang.String">
- <entry key="uaaUrl" value="${uaa.url}" />
+ <entry key="sloUrl" value="${uaa.logout.url}" />
</map>
</property>
</bean>
@@ -32,6 +32,7 @@
<!-- list all unsecured resources/endpoints -->
<sec:http pattern="/logout.*" security="none"/>
<sec:http pattern="/login_error.jsp" security="none"/>
+ <sec:http pattern="/favicon.ico" security="none" />
<!-- make ALL other requests go thru the Oauth security filters -->
<http pattern="/**" create-session="always" entry-point-ref="oauthAuthenticationEntryPoint"
View
5 dashboard/src/main/webapp/logout.jsp
@@ -1,5 +1,4 @@
-<%@ page import="org.springframework.security.web.WebAttributes" %>
-<%@ page import="org.springframework.security.access.AccessDeniedException" %>
+<%@ page import="java.net.URLEncoder" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
@@ -32,7 +31,7 @@
<%
if (request.getParameter("slo") == null || "false".equals(request.getParameter("slo").toLowerCase())) {
String callbackUrl = request.getRequestURL().append("?slo=true").toString();
- String sloUrl = request.getAttribute("uaaUrl") != null ? request.getAttribute("uaaUrl") + "/logout.do?redirect=" + response.encodeRedirectURL(callbackUrl) : "logout?slo=true";
+ String sloUrl = request.getAttribute("sloUrl") != null ? request.getAttribute("sloUrl") + "?redirect=" + URLEncoder.encode(callbackUrl, "utf-8") : "logout?slo=true";
%>
<br />
Click <a href="<%= sloUrl %>">here</a> to logout of CloudFoundry too.

0 comments on commit d7c8acf

Please sign in to comment.
Something went wrong with that request. Please try again.