Bug #36: remove the RURL cookie after successful authentication

- add Get_Redirect_Cookie and Clear_Redirect_Cookie to get/remove the RURL cookie
- after servlet authentication (OAuth), remove the redirect cookie
- likewise for the form-based (Password) authentication

awa/src/awa-users-beans.adb

@@ -30,6 +30,7 @@ with ADO.Sessions;
 
 with AWA.Services.Contexts;
 with AWA.Users.Servlets;
+with AWA.Users.Filters;
 package body AWA.Users.Beans is
 
    use AWA.Users.Models;
@@ -190,6 +191,7 @@ package body AWA.Users.Beans is
 
       Data.Set_Session_Principal (Principal);
       Data.Set_Authenticate_Cookie (Principal);
+      Remove_Cookie (AWA.Users.Filters.REDIRECT_COOKIE);
       if Length (Data.Redirect) > 0 then
          declare
             Context : constant ASF.Contexts.Faces.Faces_Context_Access

awa/src/awa-users-filters.adb

@@ -33,6 +33,32 @@ package body AWA.Users.Filters is
    --  The logger
    Log : constant Util.Log.Loggers.Logger := Util.Log.Loggers.Create ("AWA.Users.Filters");
 
+   --  ------------------------------
+   --  Get the redirection URL from the redirect cookie.
+   --  ------------------------------
+   function Get_Redirect_Cookie (Request : in Servlet.Requests.Request'Class) return String is
+      Cookies : constant Util.Http.Cookies.Cookie_Array := Request.Get_Cookies;
+   begin
+      for I in Cookies'Range loop
+         if Util.Http.Cookies.Get_Name (Cookies (I)) = REDIRECT_COOKIE then
+            return Util.Http.Cookies.Get_Value (Cookies (I));
+         end if;
+      end loop;
+      return "";
+   end Get_Redirect_Cookie;
+
+   --  ------------------------------
+   --  Clear the redirect cookie in the response.
+   --  ------------------------------
+   procedure Clear_Redirect_Cookie (Request : in Servlet.Requests.Request'Class;
+                                    Response : in out Servlet.Responses.Response'Class) is
+      C : Util.Http.Cookies.Cookie := Util.Http.Cookies.Create (REDIRECT_COOKIE, "");
+   begin
+      Util.Http.Cookies.Set_Path (C, Request.Get_Context_Path);
+      Util.Http.Cookies.Set_Max_Age (C, 0);
+      Response.Add_Cookie (Cookie => C);
+   end Clear_Redirect_Cookie;
+
    --  ------------------------------
    --  Initialize the filter and configure the redirection URIs.
    --  ------------------------------

awa/src/awa-users-filters.ads

@@ -28,6 +28,13 @@ with Servlet.Security.Filters;
 with AWA.Applications;
 package AWA.Users.Filters is
 
+   --  Get the redirection URL from the redirect cookie.
+   function Get_Redirect_Cookie (Request : in Servlet.Requests.Request'Class) return String;
+
+   --  Clear the redirect cookie in the response.
+   procedure Clear_Redirect_Cookie (Request  : in Servlet.Requests.Request'Class;
+                                    Response : in out Servlet.Responses.Response'Class);
+
    --  ------------------------------
    --  Authentication verification filter
    --  ------------------------------

awa/src/awa-users-servlets.adb

@@ -18,7 +18,6 @@
 with Util.Beans.Objects;
 with Util.Beans.Objects.Records;
 with Util.Log.Loggers;
-with Util.Http.Cookies;
 
 with AWA.Users.Services;
 with AWA.Users.Modules;
@@ -123,6 +122,7 @@ package body AWA.Users.Servlets is
             if Redirect'Length > 0 then
                Session.Set_Attribute (Name  => REDIRECT_ATTRIBUTE,
                                       Value => Util.Beans.Objects.To_Object (Redirect));
+               AWA.Users.Filters.Clear_Redirect_Cookie (Request, Response);
             end if;
          end;
       end;
@@ -162,15 +162,14 @@ package body AWA.Users.Servlets is
          return Util.Beans.Objects.To_String (Redir);
       end if;
       declare
-         Cookies : constant Util.Http.Cookies.Cookie_Array := Request.Get_Cookies;
+         URL : constant String := AWA.Users.Filters.Get_Redirect_Cookie (Request);
       begin
-         for I in Cookies'Range loop
-            if Util.Http.Cookies.Get_Name (Cookies (I)) = AWA.Users.Filters.REDIRECT_COOKIE then
-               return Util.Http.Cookies.Get_Value (Cookies (I));
-            end if;
-         end loop;
+         if URL'Length > 0 then
+            return URL;
+         else
+            return Ctx.Get_Init_Parameter ("openid.success_url");
+         end if;
       end;
-      return Ctx.Get_Init_Parameter ("openid.success_url");
    end Get_Redirect_URL;
 
    --  ------------------------------
@@ -264,6 +263,7 @@ package body AWA.Users.Servlets is
 
          Log.Info ("Redirect user to URL: {0}", Redirect);
          Response.Send_Redirect (Redirect);
+         AWA.Users.Filters.Clear_Redirect_Cookie (Request, Response);
 
       exception
          when AWA.Users.Services.Registration_Disabled =>
@@ -280,18 +280,14 @@ package body AWA.Users.Servlets is
    --  ------------------------------
    function Get_Redirect_URL (Server  : in Verify_Key_Servlet;
                               Request : in Servlet.Requests.Request'Class) return String is
-      Ctx   : constant Servlet.Core.Servlet_Registry_Access := Server.Get_Servlet_Context;
+      Ctx : constant Servlet.Core.Servlet_Registry_Access := Server.Get_Servlet_Context;
+      URL : constant String := AWA.Users.Filters.Get_Redirect_Cookie (Request);
    begin
-      declare
-         Cookies : constant Util.Http.Cookies.Cookie_Array := Request.Get_Cookies;
-      begin
-         for I in Cookies'Range loop
-            if Util.Http.Cookies.Get_Name (Cookies (I)) = AWA.Users.Filters.REDIRECT_COOKIE then
-               return Util.Http.Cookies.Get_Value (Cookies (I));
-            end if;
-         end loop;
-      end;
-      return Ctx.Get_Init_Parameter ("openid.success_url");
+      if URL'Length > 0 then
+         return URL;
+      else
+         return Ctx.Get_Init_Parameter ("openid.success_url");
+      end if;
    end Get_Redirect_URL;
 
    --  ------------------------------