remove cookie on logout

2025-11-12 08:25:44 +01:00 · 2015-04-01 10:47:00 +02:00
parent ef50b4f238
commit c921fa9ab0
2 changed files with 30 additions and 14 deletions
--- a/scm-core/src/main/java/sonia/scm/util/HttpUtil.java
+++ b/scm-core/src/main/java/sonia/scm/util/HttpUtil.java
@@ -70,15 +70,6 @@ public final class HttpUtil
  /** authentication realm for basic authentication */
  public static final String AUTHENTICATION_REALM = "SONIA :: SCM Manager";

-  /** Field description */
-  public static final String ENCODING = "UTF-8";
-
-  /**
-   * authorization header
-   * @since 2.0.0
-   */
-  public static final String HEADER_AUTHORIZATION = "Authorization";
-
  /**
   * Basic authorization scheme
   * @since 2.0.0
@@ -91,6 +82,21 @@ public final class HttpUtil
   */
  public static final String AUTHORIZATION_SCHEME_BEARER = "Bearer";

+  /**
+   * Name of bearer authentication cookie.
+   * @since 2.0.0
+   */
+  public static final String COOKIE_BEARER_AUTHENTICATION = "X-Bearer-Token";
+
+  /** Field description */
+  public static final String ENCODING = "UTF-8";
+
+  /**
+   * authorization header
+   * @since 2.0.0
+   */
+  public static final String HEADER_AUTHORIZATION = "Authorization";
+
  /**
   * location header
   * @since 1.43
--- a/scm-webapp/src/main/java/sonia/scm/api/rest/resources/AuthenticationResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/rest/resources/AuthenticationResource.java
@@ -60,6 +60,7 @@ import sonia.scm.security.BearerTokenGenerator;
 import sonia.scm.security.Tokens;
 import sonia.scm.user.User;
 import sonia.scm.util.HttpUtil;
+import sonia.scm.util.Util;

 //~--- JDK imports ------------------------------------------------------------

@@ -69,7 +70,6 @@ import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

-import javax.ws.rs.DefaultValue;
 import javax.ws.rs.FormParam;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -177,7 +177,7 @@ public class AuthenticationResource

      if (cookie)
      {
-        Cookie c = new Cookie("X-Bearer-Token", token);
+        Cookie c = new Cookie(HttpUtil.COOKIE_BEARER_AUTHENTICATION, token);

        c.setPath(request.getContextPath());

@@ -270,11 +270,21 @@ public class AuthenticationResource

    subject.logout();

+    // remove bearer authentication cookie
+    Cookie c = new Cookie(
+      HttpUtil.COOKIE_BEARER_AUTHENTICATION,
+      Util.EMPTY_STRING
+    );
+    c.setPath(request.getContextPath());
+    c.setMaxAge(0);
+    c.setHttpOnly(true);
+    
+    response.addCookie(c);
+
    Response resp;

    if (configuration.isAnonymousAccessEnabled())
    {
-
      resp = Response.ok(stateFactory.createAnonymousState()).build();
    }
    else