com.atlassian.jira.security.login
Class JiraLogoutServlet

java.lang.Object
  extended by javax.servlet.GenericServlet
      extended by javax.servlet.http.HttpServlet
          extended by com.atlassian.jira.security.login.JiraLogoutServlet
All Implemented Interfaces:
Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig

public class JiraLogoutServlet
extends javax.servlet.http.HttpServlet

Responsible for processing log-out requests.
It performs an XSRF check and delegates to the underlying Seraph log-out servlet.

Since:
v4.1.1
See Also:
LogoutServlet, Serialized Form

Constructor Summary
JiraLogoutServlet()
           
 
Method Summary
 void destroy()
           
 javax.servlet.ServletConfig getServletConfig()
           
 void init()
           
 void init(javax.servlet.ServletConfig servletConfig)
           
protected  void service(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Processes a request to log-out a User.
 
Methods inherited from class javax.servlet.http.HttpServlet
doDelete, doGet, doHead, doOptions, doPost, doPut, doTrace, getLastModified, service
 
Methods inherited from class javax.servlet.GenericServlet
getInitParameter, getInitParameterNames, getServletContext, getServletInfo, getServletName, log, log
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

JiraLogoutServlet

public JiraLogoutServlet()
Method Detail

init

public void init()
          throws javax.servlet.ServletException
Overrides:
init in class javax.servlet.GenericServlet
Throws:
javax.servlet.ServletException

init

public void init(javax.servlet.ServletConfig servletConfig)
          throws javax.servlet.ServletException
Specified by:
init in interface javax.servlet.Servlet
Overrides:
init in class javax.servlet.GenericServlet
Throws:
javax.servlet.ServletException

service

protected void service(javax.servlet.http.HttpServletRequest request,
                       javax.servlet.http.HttpServletResponse response)
                throws javax.servlet.ServletException,
                       IOException

Processes a request to log-out a User. If there's a valid XSRF token, it delegates to the underlying Seraph log-out servlet.

Otherwise, it is possible that the XSRF token has expired (due to a session timeout), or that this is a dodgy token.

When the session times out, there are users who have remember me or Crowd SSO turned on and they will be authenticated. We need to confirm that they are who they say they are in order to perform a log-out, this is because we need to perform clean-up operations for them (e.g removing the remember me cookie, we don't want attacker to trick you into deleting your own remember me cookie).

On the other hand, if there's no authenticated user and the session is gone, we tell the user that he's already logged out.

Overrides:
service in class javax.servlet.http.HttpServlet
Parameters:
request - The request in play.
response - The response in play.
Throws:
javax.servlet.ServletException
IOException

getServletConfig

public javax.servlet.ServletConfig getServletConfig()
Specified by:
getServletConfig in interface javax.servlet.Servlet
Overrides:
getServletConfig in class javax.servlet.GenericServlet

destroy

public void destroy()
Specified by:
destroy in interface javax.servlet.Servlet
Overrides:
destroy in class javax.servlet.GenericServlet


Copyright © 2002-2012 Atlassian. All Rights Reserved.