Open sunflower-seed opened 5 years ago
Thanks for the report. The problem is that as soon as you hit a protected URL the X509 certificate is still being used which will authenticate again. I'm not sure there is anything you do because there is no way to signal to the browser to stop sending the certificate.
Thank you for your replay. And sorry for maybe confusing:
which will authenticate again.
You can work around this by configuring the webserver (Apache) to do Cert requests only on a certain URL. So then logout is possible (also it is as mentioned not a real logout). But then you run in trouble with the keep-alive thing.
Can you put together a minimal and complete example of this?
Can you put together a minimal and complete example of this? i try. may take some time.
Sorry i tried to get the x509 sample running without success. Can you provide or have already provided a short how-to anywhere?
The thing is pretty simple: If performing a logout with x509 the keep-alive header should be checked to always be 0 in this case.
Summary
If you configure your Webserver to do X509 authentication only on a specific URL it is possible to use Spring Security's logout function (some kind of work around). But if you immediately perform an action after logging out, you are still logged in
Details
Logging out with certificate authentication is not really possible via Website. The only solution is to close the browser. And it's not the best solution to do certificate logins only via a login URL to have the possibility to perform logouts. So its somehow an edge case. Also this is not at least a security thing, because every User should be informed about how to handle certificates. But it's not really user friendly to perform an unsuccessful logout.
We chose this quirks implementation, because we want users not to overtax with a certificate request popup when they open the page, even if the don't have certificates. So we chose an extra url where the user can perform certificate login.
Reason and Expected Behavior
Best thing in my use case would be that the user is logged out. Maybe this could be reached to Configure the Spring app to X509 only on a specified URL (not tested yet, see configuration) if this is possible.
If you perform a logout the "Keep-Alive" http header is sent and the browser is advised to keep the connection open for about 5 seconds. So the https handshaked connection runs for at least five seconds after logout. So if you perform any action in this time, you are kept logged in.
For more security it might be the best to set the keep alive headers to zero.
Configuration
The Apache webserver has a hardcoded URL where SSLVerification (x509) is enabled and the Cert data are paseed-through to the app via ajp. Spring Security is globally configured to accept 509 logins.
Version
4.x