Spring Security/Gorouter Issue?

Question

Spring Security/Gorouter Issue?

Closed this issue 6 years ago · 5 comments

I am working with Spring Security to secure an application deployed on Pivotal Cloud Foundry. When I logout the securitycontext is cleared and the JSESSIONID cookie is deleted. When I go back to the home page, a new JSESSIONID is automatically created and the application logs me in, without asking me to authenticate. This happens only on PCF but works fine locally. When I run the application locally, logout deletes the cookie and forces me to relogin. On PCF, it does not, wondering if I need to delete the VCAP_ID cookie too?

The code snippet is as below:
`
@configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

	http.headers().cacheControl().disable();
    http.headers().xssProtection();
    http.headers().httpStrictTransportSecurity();
    
    http
    .headers()
    .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
    .and()
    .csrf().disable()
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
    .and()
    .exceptionHandling()
    .authenticationEntryPoint(ssoRedirectionEntryPoint()).accessDeniedPage(accessDeniedUrl)
    .and()
    .authorizeRequests()
    .antMatchers("/ui/**").access(<<custom-permission-check>>)
    .anyRequest().authenticated()
    .and()
    .addFilterBefore(ssoAuthenticationProcessingFilter(), AbstractPreAuthenticatedProcessingFilter.class);

http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true).addLogoutHandler(ssoLogoutHandler());
}

@bean
public LogoutFilter ssoLogoutFilter() {
LogoutFilter filter = new LogoutFilter("/", ssoLogoutHandler());

    filter.setLogoutRequestMatcher(new AntPathRequestMatcher("/logout"));
    return filter;
}

public class SSOLogoutHandler implements LogoutHandler {
@OverRide
public void logout(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {

//At the end, invalidate the session if there is one
if (request.getSession(false) != null) {
  request.getSession(false).invalidate();
}

SecurityContextHolder.clearContext();

......
}
`

Answer 1 · 2018-09-02T23:48:38.000Z

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/160222211

The labels on this github issue will be updated when the story is started.

Answer 2 · 2018-09-19T21:29:11.000Z

We noticed that your corresponding issue in PCF-dev was closed, so we are going to close this as well. We recommend contacting Pivotal Support if further assistance is needed.

Answer 3 · 2018-09-21T17:38:52.000Z

Hello,
If you could provide us with an app with which we can reproduce this in an OSS Cloud Foundry environment, we'll take a look. Gorouter shouldn't be removing the JSESSIONID cookie, only adding the VCAP_ID cookie.
Thank you

Answer 4 · 2018-09-21T17:38:53.000Z

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/160693674

The labels on this github issue will be updated when the story is started.

Answer 5 · 2018-09-21T17:59:56.000Z

This can be closed, cachecontrol was the issue and after adding that, this got resolved.