fix: remove multiple tokens from cookies (#2514)

Signed-off-by: achmelo <[email protected]>
zowe · Jul 21, 2022 · d5bc187 · d5bc187
1 parent e491d7c
commit d5bc187
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 11 deletions.
diff --git a/...c/main/java/org/zowe/apiml/gateway/security/service/schema/HttpBasicPassTicketScheme.java b/...c/main/java/org/zowe/apiml/gateway/security/service/schema/HttpBasicPassTicketScheme.java
@@ -45,6 +45,7 @@ public class HttpBasicPassTicketScheme implements IAuthenticationScheme {
     private final PassTicketService passTicketService;
     private final AuthSourceService authSourceService;
     private final String cookieName;
+    private final String patCookieName;
 
     public HttpBasicPassTicketScheme(
         PassTicketService passTicketService,
@@ -54,6 +55,7 @@ public HttpBasicPassTicketScheme(
         this.passTicketService = passTicketService;
         this.authSourceService = authSourceService;
         cookieName = authConfigurationProperties.getCookieProperties().getCookieName();
+        patCookieName = authConfigurationProperties.getCookieProperties().getCookieNamePAT();
     }
 
     @Override
@@ -102,7 +104,7 @@ public AuthenticationCommand createCommand(Authentication authentication, AuthSo
         final String value = "Basic " + encoded;
 //        passticket is valid only once, therefore this command needs to expire immediately and each call should generate new passticket
         long expiration = System.currentTimeMillis();
-        return new PassTicketCommand(value, cookieName, expiration);
+        return new PassTicketCommand(value, cookieName, patCookieName, expiration);
     }
 
     @Override
@@ -120,14 +122,16 @@ public static class PassTicketCommand extends AuthenticationCommand {
 
         String authorizationValue;
         String cookieName;
+        String patCookieName;
         Long expireAt;
 
         @Override
         public void apply(InstanceInfo instanceInfo) {
             if (authorizationValue != null) {
                 final RequestContext context = RequestContext.getCurrentContext();
                 context.addZuulRequestHeader(HttpHeaders.AUTHORIZATION, authorizationValue);
-                JwtCommand.removeCookie(context, cookieName);
+                String[] cookiesToBeRemoved = new String[]{cookieName,patCookieName};
+                JwtCommand.removeCookie(context, cookiesToBeRemoved);
             }
         }
 

diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/JwtCommand.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/JwtCommand.java
@@ -26,13 +26,18 @@ public static void setCookie(RequestContext context, String name, String value)
         );
     }
 
-    public static void removeCookie(RequestContext context, String name) {
-        context.addZuulRequestHeader(COOKIE_HEADER,
-            CookieUtil.removeCookie(
-                context.getRequest().getHeader(COOKIE_HEADER),
+    public static void removeCookie(RequestContext context, String[] names) {
+        String cookie = context.getRequest().getHeader(COOKIE_HEADER);
+        for (String name : names) {
+            cookie = CookieUtil.removeCookie(
+                cookie,
                 name
-            )
+            );
+        }
+        context.addZuulRequestHeader(COOKIE_HEADER,
+            cookie
         );
+
     }
 
     @Override

diff --git a/...ay-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/SafIdtScheme.java b/...ay-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/SafIdtScheme.java
@@ -155,8 +155,8 @@ public void apply(InstanceInfo instanceInfo) {
                 final RequestContext context = RequestContext.getCurrentContext();
                 // add header with SafIdt token to request and remove APIML token from Cookie if exists
                 context.addZuulRequestHeader(SAF_TOKEN_HEADER, safIdentityToken);
-                JwtCommand.removeCookie(context, authConfigurationProperties.getCookieProperties().getCookieName());
-                JwtCommand.removeCookie(context, authConfigurationProperties.getCookieProperties().getCookieNamePAT());
+                String[] cookiesToBeRemoved = new String[]{authConfigurationProperties.getCookieProperties().getCookieName(), authConfigurationProperties.getCookieProperties().getCookieNamePAT()};
+                JwtCommand.removeCookie(context, cookiesToBeRemoved);
             }
         }
 

diff --git a/...way-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/ZosmfScheme.java b/...way-service/src/main/java/org/zowe/apiml/gateway/security/service/schema/ZosmfScheme.java
@@ -119,8 +119,8 @@ public void apply(InstanceInfo instanceInfo) {
                 final RequestContext context = RequestContext.getCurrentContext();
                 if (AuthSource.Origin.ZOSMF.equals(authSourceOrigin)) {
                     // token is generated by z/OSMF, fix set cookies
-                    removeCookie(context, authConfigurationProperties.getCookieProperties().getCookieName());
-                    removeCookie(context, authConfigurationProperties.getCookieProperties().getCookieNamePAT());
+                    String[] cookiesToBeRemoved = new String[]{authConfigurationProperties.getCookieProperties().getCookieName(),authConfigurationProperties.getCookieProperties().getCookieNamePAT()};
+                    removeCookie(context, cookiesToBeRemoved);
                     setCookie(context, ZosmfService.TokenType.JWT.getCookieName(), cookieValue);
                 } else if (AuthSource.Origin.ZOWE.equals(authSourceOrigin)) {
                     // user use Zowe own JWT token, for communication with z/OSMF there should be LTPA token, use it