Clear shiro session for current subject before attempting to login

Signed-off-by: Darshit Chanpura <[email protected]>
opensearch-project · Dec 6, 2022 · 57df6b6 · 57df6b6
1 parent 78c1306
commit 57df6b6
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/server/src/main/java/org/opensearch/rest/RestController.java b/server/src/main/java/org/opensearch/rest/RestController.java
@@ -37,6 +37,7 @@
 import org.apache.logging.log4j.message.ParameterizedMessage;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.session.Session;
 import org.opensearch.OpenSearchException;
 import org.opensearch.authn.tokens.AuthenticationToken;
 import org.opensearch.authn.tokens.BasicAuthToken;
@@ -678,11 +679,22 @@ private AuthenticationToken tokenType(String authHeader) {
      * @param headerToken Attempt login using this token
      */
     private static void getShiroSessionAndLogin(Subject subject, AuthenticationToken headerToken) {
-
         // Get or create a new session for this subject when there is none to ensure passing tests.
         // TODO: Ensure that shiro session is allowed to be created everytime
-        SecurityUtils.getSubject().getSession();
+        logoutCurrentSubjectAndClearSessionIfAny();
 
         subject.login(headerToken);
     }
+
+    private static void logoutCurrentSubjectAndClearSessionIfAny() {
+        try {
+            // Get current session and kill it before proceeding to create a new session
+            // TODO: need to study the impact of this
+            Session session = SecurityUtils.getSubject().getSession(false);
+            if (session == null) return;
+            session.stop();
+        } catch (Exception e) {
+            // Ignore all errors, as we're trying to silently kill the session
+        }
+    }
 }