KEYCLOAK-4288 Fix SAML logout session for Tomcat/EAP6

When logging out via application (via ?GLO=true query parameter), CatalineSamlSessionStore does not expire session, while it does that in logging by SAML session index. This causes distributed sessions being invalidated only on node hanling the request, but remains active in other nodes of the cluster. Then the session can be resurrected on next cache replication back even to the node where the logout was performed. This behaviour is fixed here.
2017-02-24 12:11:41 +01:00 · 2017-02-24 12:11:41 +01:00 · 567393a102
commit 567393a102
parent b54d7c37b6
1 changed files with 3 additions and 0 deletions
--- a/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlSessionStore.java
+++ b/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlSessionStore.java
@ -89,10 +89,12 @@ public class CatalinaSamlSessionStore implements SamlSessionStore {
        Session sessionInternal = request.getSessionInternal(false);
        if (sessionInternal == null) return;
        HttpSession session = sessionInternal.getSession();
+        List<String> ids = new LinkedList<String>();
        if (session != null) {
            SamlSession samlSession = (SamlSession)session.getAttribute(SamlSession.class.getName());
            if (samlSession != null) {
                if (samlSession.getSessionIndex() != null) {
+                    ids.add(session.getId());
                    idMapper.removeSession(session.getId());
                }
                session.removeAttribute(SamlSession.class.getName());
@ -101,6 +103,7 @@ public class CatalinaSamlSessionStore implements SamlSessionStore {
        }
        sessionInternal.setPrincipal(null);
        sessionInternal.setAuthType(null);
+        logoutSessionIds(ids);
    }

    @Override