View Javadoc

1   package com.atlassian.seraph.logout;
2   
3   import com.atlassian.seraph.config.SecurityConfigImpl;
4   import com.atlassian.seraph.config.SecurityConfig;
5   import com.atlassian.seraph.config.SecurityConfigFactory;
6   import com.atlassian.seraph.auth.AuthenticatorException;
7   import com.atlassian.seraph.auth.Authenticator;
8   
9   import javax.servlet.http.HttpServlet;
10  import javax.servlet.http.HttpServletRequest;
11  import javax.servlet.http.HttpServletResponse;
12  import javax.servlet.http.HttpSession;
13  import javax.servlet.ServletException;
14  import javax.servlet.ServletConfig;
15  import java.io.IOException;
16  
17  /**
18   * Seraph logout servlet.  Configured via the 'logout.url' init param in seraph-config.xml. This servlet supports two
19   * logout behaviours:
20   * <ul>
21   * <li>If 'logout.url' is a relative path (e.g. <code>/logout.jsp</code> or <code>/logout.action<code>, this servlet
22   * simply redirects to it. The redirected-to page is responsible for calling {@link Authenticator#logout(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)}.</li>
23   * <li>If 'logout.url' is absolute, this servlet logs the user out with {@link Authenticator#logout(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)}
24   * and then redirects to the absolute URL.</li>
25   * </ul>
26   */
27  public class LogoutServlet extends HttpServlet
28  {
29      private SecurityConfig securityConfig;
30  
31      public void init() throws ServletException
32      {
33          super.init();
34          securityConfig = SecurityConfigFactory.getInstance();
35      }
36  
37      public void init(ServletConfig servletConfig) throws ServletException
38      {
39          super.init(servletConfig);
40          securityConfig = (SecurityConfig) servletConfig.getServletContext().getAttribute(SecurityConfigImpl.STORAGE_KEY);
41      }
42  
43      protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
44      {
45          if (isRelativeRedirect())
46          {
47              // Internal logout page; we rely on it to execute the logout logic in its own good time (eg., if the user confirms logout)
48              response.sendRedirect(request.getContextPath() + getSecurityConfig().getLogoutURL());
49          }
50          else
51          {
52              // External logout page; we execute logout logic immediately, and redirect to the external page.
53              try
54              {
55                  final Authenticator authenticator = getAuthenticator();
56                  authenticator.logout(request, response);
57              }
58              catch (AuthenticatorException e)
59              {
60                  throw new ServletException("Seraph authenticator couldn't log out", e);
61              }
62              response.sendRedirect(getSecurityConfig().getLogoutURL());
63          }
64      }
65  
66      private boolean isRelativeRedirect()
67      {
68          return getSecurityConfig().getLogoutURL().indexOf("://") == -1;
69      }
70  
71      protected SecurityConfig getSecurityConfig() {
72          return securityConfig;
73      }
74  
75      protected Authenticator getAuthenticator() {
76          return getSecurityConfig().getAuthenticator();
77      }
78  }