com.atlassian.jira.security.login

Class JiraLogoutServlet

java.lang.Object

javax.servlet.GenericServlet

javax.servlet.http.HttpServlet

com.atlassian.jira.security.login.JiraLogoutServlet

All Implemented Interfaces:

Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig

public class JiraLogoutServlet
extends javax.servlet.http.HttpServlet

Responsible for processing log-out requests.
It performs an XSRF check and delegates to the underlying Seraph log-out servlet.

Since:

v4.1.1

See Also:

LogoutServlet, Serialized Form

Constructor Summary

Constructors

Constructor and Description
JiraLogoutServlet()

Method Summary

Modifier and Type	Method and Description
void	destroy()
javax.servlet.ServletConfig	getServletConfig()
void	init()
void	init(javax.servlet.ServletConfig servletConfig)
protected void	service(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Processes a request to log-out a User.

Methods inherited from class javax.servlet.http.HttpServlet

doDelete, doGet, doHead, doOptions, doPost, doPut, doTrace, getLastModified, service

Methods inherited from class javax.servlet.GenericServlet

getInitParameter, getInitParameterNames, getServletContext, getServletInfo, getServletName, log, log

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JiraLogoutServlet

public JiraLogoutServlet()

Method Detail

init

public void init()
          throws javax.servlet.ServletException

Overrides:

init in class javax.servlet.GenericServlet

Throws:

javax.servlet.ServletException

init

public void init(javax.servlet.ServletConfig servletConfig)
          throws javax.servlet.ServletException

Specified by:

init in interface javax.servlet.Servlet

Overrides:

init in class javax.servlet.GenericServlet

Throws:

javax.servlet.ServletException

service

protected void service(javax.servlet.http.HttpServletRequest request,
                       javax.servlet.http.HttpServletResponse response)
                throws javax.servlet.ServletException,
                       IOException

Processes a request to log-out a User. If there's a valid XSRF token, it delegates to the underlying Seraph log-out servlet.

Otherwise, it is possible that the XSRF token has expired (due to a session timeout), or that this is a dodgy token.

When the session times out, there are users who have remember me or Crowd SSO turned on and they will be authenticated. We need to confirm that they are who they say they are in order to perform a log-out, this is because we need to perform clean-up operations for them (e.g removing the remember me cookie, we don't want attacker to trick you into deleting your own remember me cookie).

On the other hand, if there's no authenticated user and the session is gone, we tell the user that he's already logged out.

Overrides:

service in class javax.servlet.http.HttpServlet

Parameters:

request - The request in play.

response - The response in play.

Throws:

javax.servlet.ServletException

IOException

getServletConfig

public javax.servlet.ServletConfig getServletConfig()

Specified by:

getServletConfig in interface javax.servlet.Servlet

Overrides:

getServletConfig in class javax.servlet.GenericServlet

destroy

public void destroy()

Specified by:

destroy in interface javax.servlet.Servlet

Overrides:

destroy in class javax.servlet.GenericServlet