Context

1/ While working on SSO epic, we found that there is a session renewal (performing session invalidate) after login and before setting new Subject into MgnlContext

https://git.magnolia-cms.com/projects/PLATFORM/repos/main/browse/magnolia-core/src/main/java/info/magnolia/cms/security/auth/login/LoginFilter.java?at=refs%2Fheads%2Frelease%2F6.2#107-109

The session renewal after login is a good practice for security concerns.

However, it impacts the way SSO (Pac4j implementation) using the session to store user profiles under "pac4jUserProfiles" attribute. Because it invalidates the session which having all login information which causing a logout issue - not perform global logout from the IDP.

In fact, Pac4j already has the same logic for us by default https://www.pac4j.org/docs/callback-endpoint.html#c-renewsession, from the DefaultCallbackLogic which is called by our SsoCallbackServlet

2/ There are LoginHandler(s) to handle the authentication when request is handled by the LoginFilter (JCR: /server/filters/login/loginHandlers)

However, it's not the case for LogoutFilter, so it would benefit to the logout mechanism when having the LogoutHandler to handle the logout requests, technically it will be less require to implement the custom LogoutFilter such as SsoLogoutFilter.

ACs

• Able to control the session renewal and should be handle by the LoginHandler instead of "hard-coded" renew session in LoginFilter
  • Should let the LoginHandler to invalidate/renew the session, so we have to move the session invalidate into the LoginHandler itself which include our FormLogin and BasicLogin.
• Having the logout logic which will handle by LoginHandler for LogoutFilter
• Be able to blend the default LogoutFilter and SSO concern

Proposed solution

• Add new method "renewSession" and "logout" to LoginHandler, also rename "handle" method to "login"
  • provide default implementation for backward compatibility 
• Add a loginHandlers list configuration to LogoutFilter and use JCR extends property (https://docs.magnolia-cms.com/product-docs/6.2/developing/reusing-configuration/jcr-extends/) to extends the configuration from "/server/filters/login/loginHandlers"
• Move the logout logic to LoginHandler#logout for existing FormLogin and BasicLogin (which should do nothing)
• Additional, introduce enabled config to FormClientCallback, set it enable by default
  • which will be use for SSO fallback login mechanism (support JCR default login and SSO login), so the customers can enable/disable this based on their need.