logout does not remove geoserver session, leaving next login with old credentials

georchestra / georchestra-gateway

GNU General Public License v3.0

0 stars 6 forks source link

logout does not remove geoserver session, leaving next login with old credentials #14

Closed groldan closed 7 months ago

groldan commented 2 years ago

To reproduce:

log in as testadmin/testadmin against LDAP access geoserver logout log in as testuser/testuser access geoserver Still got the admin rights.

The geoserver JSESSIONID is not cleared at logout.

Will be the same for any other stateful backend service

pmauduit commented 2 years ago

Discussed previously on Slack, there was something to manage the cookies on the former SP: https://github.com/georchestra/georchestra/blob/master/security-proxy/src/main/java/org/georchestra/security/HeadersManagementStrategy.java#L223-L289 So we probably would need a similar mechanism.

groldan commented 9 months ago

I'm ooo, but as a reminder, turns out it's not about gateway handling cookies in any way, but about geoserver's http headers authentication filter getting the authentication object from an internal cache instead of clearing out the security context once the gateway stops sending the sec-username header. Solved in gscloud with its own "gateway" preauth filter

fvanderbiest commented 9 months ago

Witnessed the issue today during a training session. Very scary stuff ...

This can be investigated with GSMEL-261