fix(system): HAWNG-326 clear browser data on user logout

hawtio · Jan 30, 2024 · d6ed1cb · d6ed1cb
1 parent 6ac4df7
commit d6ed1cb
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/hawtio-system/src/main/java/io/hawt/web/auth/LogoutServlet.java b/hawtio-system/src/main/java/io/hawt/web/auth/LogoutServlet.java
@@ -30,6 +30,11 @@ public void init() {
 
     @Override
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        LOG.debug("Logging out");
+
+        // Send some HTTP headers on logout
+        addHeaders(response);
+
         request.logout();
         if (AuthSessionHelpers.isSpringSecurityEnabled()) {
             AuthSessionHelpers.clear(request, authConfiguration, false);
@@ -40,6 +45,12 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
         }
     }
 
+    protected void addHeaders(HttpServletResponse response) {
+        // Do not specify "storage" as local storage contains persistent data such as
+        // preferences and connections but without credentials.
+        response.addHeader("Clear-Site-Data", "\"cache\", \"cookies\"");
+    }
+
     public void setRedirector(Redirector redirector) {
         this.redirector = redirector;
     }

diff --git a/...rms/quarkus/runtime/src/main/java/io/hawt/quarkus/servlets/HawtioQuakusLogoutServlet.java b/...rms/quarkus/runtime/src/main/java/io/hawt/quarkus/servlets/HawtioQuakusLogoutServlet.java
@@ -23,6 +23,9 @@ public void init() {
 
     @Override
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        // Send some HTTP headers on logout
+        addHeaders(response);
+
         request.logout();
         AuthSessionHelpers.clear(request, authConfiguration, false);
         redirector.doRedirect(request, response, AuthenticationConfiguration.LOGIN_URL);