Force logout current subject before logging in and creating a new ses…

…sion Signed-off-by: Darshit Chanpura <[email protected]>
opensearch-project · Dec 7, 2022 · 0e91f95 · 0e91f95
1 parent 57df6b6
commit 0e91f95
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/server/src/main/java/org/opensearch/rest/RestController.java b/server/src/main/java/org/opensearch/rest/RestController.java
@@ -64,6 +64,7 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.Serializable;
 import java.net.URI;
 import java.util.Collections;
 import java.util.HashMap;
@@ -686,11 +687,21 @@ private static void getShiroSessionAndLogin(Subject subject, AuthenticationToken
         subject.login(headerToken);
     }
 
+    /**
+     * Logs out current user and kills the session if any to prevent Shiro from throwing
+     * {@link org.apache.shiro.session.UnknownSessionException} when calling
+     * {@link org.apache.shiro.session.mgt.DefaultSessionManager#retrieveSessionFromDataSource(Serializable sessionId)}
+     *
+     */
     private static void logoutCurrentSubjectAndClearSessionIfAny() {
         try {
+            // logout current subject
+            org.apache.shiro.subject.Subject subject = SecurityUtils.getSubject();
+            if (subject == null) return;
+            subject.logout();
             // Get current session and kill it before proceeding to create a new session
             // TODO: need to study the impact of this
-            Session session = SecurityUtils.getSubject().getSession(false);
+            Session session = subject.getSession(false);
             if (session == null) return;
             session.stop();
         } catch (Exception e) {