SecurityShepherd/src/main/java/servlets/Logout.java at dbd003cc38d5e303063cd0e1dae91ddb17ca801b · OWASP/SecurityShepherd · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
package servlets;

import com.onelogin.saml2.Auth;
import com.onelogin.saml2.exception.Error;
import com.onelogin.saml2.exception.SettingsException;
import java.io.IOException;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import utils.LoginMethod;
import utils.ShepherdLogManager;
import utils.Validate;

/**
 * Control class for the logout operation <br>
 * <br>
 * This file is part of the Security Shepherd Project.
 *
 * <p>The Security Shepherd project is free software: you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free Software Foundation, either
 * version 3 of the License, or (at your option) any later version.<br>
 *
 * <p>The Security Shepherd project is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 * PURPOSE. See the GNU General Public License for more details.<br>
 *
 * <p>You should have received a copy of the GNU General Public License along with the Security
 * Shepherd project. If not, see <http://www.gnu.org/licenses/>.
 *
 * @author Mark Denihan
 */
public class Logout extends HttpServlet {

  private static final long serialVersionUID = 1L;
  private static final Logger log = LogManager.getLogger(Logout.class);

  /**
   * Initiated in index.jsp. Invalidates session and Security Shepherd tokens are removed. The user
   * is logged out.
   */
  public void doGet(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    // Setting IpAddress To Log and taking header for original IP if forwarded from
    // proxy
    ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"));
    log.debug("**** servlets.Logout ***");
    response.setCharacterEncoding("UTF-8");
    request.setCharacterEncoding("UTF-8");
    HttpSession ses = request.getSession(true);
    if (Validate.validateSession(ses)) {
      ShepherdLogManager.setRequestIp(
          request.getRemoteAddr(),
          request.getHeader("X-Forwarded-For"),
          ses.getAttribute("userName").toString());
      log.debug("Current User: " + ses.getAttribute("userName").toString());
      Cookie tokenCookie = Validate.getToken(request.getCookies());
      Object tokenParmeter = request.getParameter("csrfToken");
      if (Validate.validateTokens(tokenCookie, tokenParmeter)) {

        // Remove Everything
        ses.removeAttribute("userStamp");
        ses.removeAttribute("userName");
        ses.removeAttribute("userRole");

        // Invalidate Session on server
        ses.invalidate();
        ses = request.getSession(true);

        // Remove cookie
        Cookie emptyCookie = new Cookie("token", "");
        emptyCookie.setPath("/");
        response.addCookie(emptyCookie);
        log.debug("User Logged Out");

        if (LoginMethod.isSaml()) {

          Auth auth;
          try {
            auth = new Auth(request, response);
          } catch (SettingsException e) {
            throw new RuntimeException("SAML not configured: " + e.toString());
          } catch (Error e) {
            throw new RuntimeException("SAML error : " + e.toString());
          }

          String nameId = null;
          if (ses.getAttribute("nameId") != null) {
            nameId = ses.getAttribute("nameId").toString();
          }
          String nameIdFormat = null;
          if (ses.getAttribute("nameIdFormat") != null) {
            nameIdFormat = ses.getAttribute("nameIdFormat").toString();
          }
          String nameidNameQualifier = null;
          if (ses.getAttribute("nameidNameQualifier") != null) {
            nameIdFormat = ses.getAttribute("nameidNameQualifier").toString();
          }
          String nameidSPNameQualifier = null;
          if (ses.getAttribute("nameidSPNameQualifier") != null) {
            nameidSPNameQualifier = ses.getAttribute("nameidSPNameQualifier").toString();
          }
          String sessionIndex = null;
          if (ses.getAttribute("sessionIndex") != null) {
            sessionIndex = ses.getAttribute("sessionIndex").toString();
          }
          try {
            auth.logout(
                null,
                nameId,
                sessionIndex,
                nameIdFormat,
                nameidNameQualifier,
                nameidSPNameQualifier);
          } catch (SettingsException e) {
            throw new RuntimeException("SAML settings error : " + e.toString());
          }

        } else {

          response.sendRedirect("login.jsp");
        }

      } else {
        log.error("CSRF Attack Detected");
        response.sendRedirect("index.jsp");
      }
    } else {
      log.error("Logout Function Called with no valid session");
      response.sendRedirect("login.jsp");
    }
    log.debug("*** END Logout ***");
  }
}