Closed groldan closed 7 months ago
Discussed previously on Slack, there was something to manage the cookies on the former SP: https://github.com/georchestra/georchestra/blob/master/security-proxy/src/main/java/org/georchestra/security/HeadersManagementStrategy.java#L223-L289 So we probably would need a similar mechanism.
I'm ooo, but as a reminder, turns out it's not about gateway handling cookies in any way, but about geoserver's http headers authentication filter getting the authentication object from an internal cache instead of clearing out the security context once the gateway stops sending the sec-username header. Solved in gscloud with its own "gateway" preauth filter
Witnessed the issue today during a training session. Very scary stuff ...
This can be investigated with GSMEL-261
To reproduce:
log in as testadmin/testadmin against LDAP access geoserver logout log in as testuser/testuser access geoserver Still got the admin rights.
The geoserver JSESSIONID is not cleared at logout.
Will be the same for any other stateful backend service