Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-1307

Goto validation not carried out on Logout if there is no SSO session

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 9.5.3_RC1, 9.5.3, 9.5.4_RC1, 9.5.4, 10.0.0-EA, 10.0.0
    • 9.5.5, 10.0.1, 10.1.0-Xpress
    • authentication
    • None
    • Rank:
      1|hzn407:

      Description

      When calling the OpenAM Logout page with a goto parameter, for example, UI/Logout?goto=http://some.blocked.site.com/ and the user no longer has a valid session or it has been called without first establishing a session, then the any goto whitelist that has been established for the realm will not be consulted to validate the goto parameter.

      Current LogoutViewBean code only validates the goto if it can get back to the session:

      try {
      sessionID = new SessionID(request);
      intSess = AuthD.getSession(sessionID);
      if (intSess != null) {
      populateL10NFileAttrs(intSess);
      gotoUrl = AuthUtils.getValidGotoURL(request, orgDN);
      ....

      The fix is to move the check outside of the session code block.

        Attachments

          Activity

            People

            markdr Mark de Reeper
            markdr Mark de Reeper
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: