[MGNLSSO-308] Logout no longer works - Improve integration tests Created: 14/Sep/23  Updated: 29/Sep/23  Resolved: 20/Sep/23

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: None
Fix Version/s: saas, 3.1.8

Type: Bug Priority: Major
Reporter: Mikaël Geljić Assignee: Evzen Fochr
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Problem/Incident
is caused by ADMINCTR-478 Logout from external IdPs no longer w... Closed
is caused by ADMINCTR-479 Logout from external IdPs no longer w... Closed
Relates
relates to MAGNOLIA-9090 Add option to trigger logout logic, p... Closed
relates to MAGNOLIA-9091 Add option to trigger logout logic, p... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Epic Link: SSO maintenance
Team: AdminX
Work Started:

 Description   

Due to changes in AdmincentralServlet in Magnolia 6.2.38, logout no longer works, IdP session is never terminated.

This is because the HttpSession is invalidated too eagerly, and thus kills Pac4j's session-tracking.

The issue will be resolved by ADMINCTR-478 and MAGNOLIA-9090.

Some dev notes and action should be taken in the scope of this ticket:

  • Add the logout scenario on SSO integration test for both branches v3.1 and v4.0.0 
  • Consider to re-add `request.getSession().invalidate();` back to SsoLogoutFilter which is removed by this commit
if (request.getSession(false) != null) {
  log.info("Invalidating HttpSession {}", request.getSession());
  request.getSession().invalidate();
} 

Generated at Mon Feb 12 10:53:02 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.