Uploaded image for project: 'OpenId Connect'
  1. OpenId Connect
  2. OIDC-270

Possible java.lang.IllegalStateException in backchannel logout

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 2.19.8
    • 2.19.7
    • Authenticator
    • None
    • Unknown

    Description

      It seems that it's possible for the backchannel logout endpoint to hit session which are already invalidated (even if the session it's invalidated are removed from the map).

      2026-02-05 16:00:11,232 [qtp1187903677-125 - https://wiki.od.devxwiki.com/oidc/authenticator/backchannel_logout] DEBUG i.OIDCResourceReferenceHandler - Failed to handle the OIDC endpoint 
java.lang.IllegalStateException: null
	at org.eclipse.jetty.session@12.1.5/org.eclipse.jetty.session.ManagedSession.beginInvalidate(ManagedSession.java:687)
	at org.eclipse.jetty.session@12.1.5/org.eclipse.jetty.session.ManagedSession.invalidate(ManagedSession.java:629)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.SessionHandler$ServletSessionApi.invalidate(SessionHandler.java:383)
	at org.xwiki.jakartabridge.servlet.internal.JavaxToJakartaHttpSession.invalidate(JavaxToJakartaHttpSession.java:147)
	at org.xwiki.contrib.oidc.auth.internal.session.ClientHttpSessions.logout(ClientHttpSessions.java:136)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at org.xwiki.contrib.oidc.auth.internal.session.ClientHttpSessions.logout(ClientHttpSessions.java:122)
	at org.xwiki.contrib.oidc.auth.internal.endpoint.BackChannelLogoutOIDCEndpoint.handle(BackChannelLogoutOIDCEndpoint.java:110)
	at org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:164)
	at org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:136)
	at org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
	at org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
	at org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:160)
	at org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:90)
	at jakarta.servlet@6.0.0/jakarta.servlet.http.HttpServlet.service(HttpServlet.java:614)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1395)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:752)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1620)
	at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:66)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1592)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1554)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.Dispatcher.forward(Dispatcher.java:135)
	at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:148)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1592)
	at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:212)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1592)
	at org.xwiki.container.servlet.filters.internal.SafeRedirectFilter.doFilter(SafeRedirectFilter.java:106)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1592)
	at org.xwiki.container.servlet.filters.internal.ResolveRelativeRedirectFilter.doFilter(ResolveRelativeRedirectFilter.java:129)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1592)
	at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:120)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:208)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1592)
	at org.eclipse.jetty.ee10.websocket.servlet@12.1.5/org.eclipse.jetty.ee10.websocket.servlet.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:199)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1592)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1554)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:868)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:449)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:469)
	at org.eclipse.jetty.security@12.1.5/org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:546)
	at org.eclipse.jetty.ee10.servlet@12.1.5/org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:719)
	at org.eclipse.jetty.server@12.1.5/org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1224)
	at org.eclipse.jetty.server@12.1.5/org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:148)
	at org.eclipse.jetty.server@12.1.5/org.eclipse.jetty.server.Server.handle(Server.java:197)
	at org.eclipse.jetty.server@12.1.5/org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:720)
	at org.eclipse.jetty.server@12.1.5/org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:412)
	at org.eclipse.jetty.server@12.1.5/org.eclipse.jetty.server.internal.HttpConnection.run(HttpConnection.java:673)
	at org.eclipse.jetty.util@12.1.5/org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:1009)
	at org.eclipse.jetty.util@12.1.5/org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1239)
	at org.eclipse.jetty.util@12.1.5/org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1194)
	at java.base/java.lang.Thread.run(Thread.java:1583)

      Attachments

        Activity

          People

            tmortagne Thomas Mortagne
            tmortagne Thomas Mortagne
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: