From 0e91f95192c54ede7891d43e84daa2d658e1c48f Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Tue, 6 Dec 2022 19:21:45 -0500 Subject: [PATCH] Force logout current subject before logging in and creating a new session Signed-off-by: Darshit Chanpura --- .../java/org/opensearch/rest/RestController.java | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/server/src/main/java/org/opensearch/rest/RestController.java b/server/src/main/java/org/opensearch/rest/RestController.java index 1ef1b906ce281..51e1e84e364a6 100644 --- a/server/src/main/java/org/opensearch/rest/RestController.java +++ b/server/src/main/java/org/opensearch/rest/RestController.java @@ -64,6 +64,7 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.io.Serializable; import java.net.URI; import java.util.Collections; import java.util.HashMap; @@ -686,11 +687,21 @@ private static void getShiroSessionAndLogin(Subject subject, AuthenticationToken subject.login(headerToken); } + /** + * Logs out current user and kills the session if any to prevent Shiro from throwing + * {@link org.apache.shiro.session.UnknownSessionException} when calling + * {@link org.apache.shiro.session.mgt.DefaultSessionManager#retrieveSessionFromDataSource(Serializable sessionId)} + * + */ private static void logoutCurrentSubjectAndClearSessionIfAny() { try { + // logout current subject + org.apache.shiro.subject.Subject subject = SecurityUtils.getSubject(); + if (subject == null) return; + subject.logout(); // Get current session and kill it before proceeding to create a new session // TODO: need to study the impact of this - Session session = SecurityUtils.getSubject().getSession(false); + Session session = subject.getSession(false); if (session == null) return; session.stop(); } catch (Exception e) {