[OPENAM-7265] Post Authentication Plugin HttpServletRequest is null in onLogout() method Created: 29/Oct/15  Updated: 20/Nov/16  Resolved: 26/Nov/15

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 12.0.0, 12.0.1, 12.0.2
Fix Version/s: 12.0.3, 13.0.0

Type: Bug Priority: Minor
Reporter: Kamal Sivanandam Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON, release-notes
Remaining Estimate: 0h
Time Spent: 3h
Original Estimate: Not Specified

Rank: 1|hzlb6f:
Sprint: AM Sustaining Sprint 14, AM Sustaining Sprint 15
Support Ticket IDs:


Post Authentication Plugin HttpServletRequest is null in onLogout() method

Steps to re-produce:

1) Install a 12.x OpenAM instance.
2) Configure a Post Authentication Plugin by following the steps at https://backstage.forgerock.com/#!/docs/openam/12.0.0/dev-guide/chap-post-auth
Make sure to add a snippet in the onLogout() like below.

public void onLogout(HttpServletRequest request, HttpServletResponse response, SSOToken ssoToken)
throws AuthenticationException {

DEBUG.message("Triggering the onLogout in the SamplePAP");

if (request != null)

{ DEBUG.message(" request is not null"); }


{ DEBUG.message("request is null"); }


3) Login to OpenAM using browser or REST.
4) Invoke logout from OpenAM using browser or REST.
5) The PAP onLogout will print message like "request is null", where as the expected behavior is to provide the HttpServletRequest object.

Comment by Quentin CASTEL [X] (Inactive) [ 09/Nov/15 ]

Seems like the problem comes from:

 private JsonValue logout(String tokenId, Context context) throws InternalServerErrorException {
                    authUtilsWrapper.logout(sessionId, null, httpServletResponse);
Comment by Bernhard Thalmayr [ 09/Nov/15 ]

only XUI is affected, legacy UI is not affected

Comment by Sachiko Wallace [ 17/Nov/15 ]

this will be quite hard to implement in 12.0.x since CHF is not available in REST.
thinking of either using ThreadLocal or creating custom HttpServletRequest, but leaning more towards latter because setting HttpServletRequest in ThreadLocal means I would have to set it on entry servlet like RestEndpointServlet, but I am not sure if I want to set it there because 13.0.0 allows you to retrieve HttpServletRequest via CHF. It might be easier to forward/backport the fix if I create dummy HttpServletRequest in SessionResource.

Generated at Tue Mar 09 10:47:05 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.