Further tidy-up of login/logout logging

Author: Alex Heneveld

rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java

@@ -165,6 +165,10 @@ public void run(HttpServletRequest webRequest, ManagementContext mgmt, @Nullable
                 if (idxColon >= 0) {
                     user = userpass.substring(0, idxColon);
                     pass = userpass.substring(idxColon + 1);
+                    if ("logout".equals(user) && "logout".equals(pass)) {
+                        // logout:logout sent by UI to clear browser state; force failure here and suppress subsequent error messages in log, after a logout
+                        throw abort("Reauthorization required after logout", provider.requiresUserPass());
+                    }
                 } else {
                     throw abort("Invalid authorization string (no colon after decoding)", provider.requiresUserPass());
                 }
@@ -192,7 +196,8 @@ public void run(HttpServletRequest webRequest, ManagementContext mgmt, @Nullable
                     }
                 }
                 LoginLogging.logLoginIfNotLogged(preferredSession2, user,
-                        MutableMap.of("origin", webRequest.getRemoteAddr(), "provider", provider.getClass().getName()));
+                        MutableMap.of("origin", webRequest.getRemoteAddr(), "provider",
+                                DelegatingSecurityProvider.getTarget(provider).getClass().getName()));
 
                 return;
             }

rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/LoginLogging.java

@@ -19,6 +19,7 @@
 package org.apache.brooklyn.rest.security;
 
 import org.apache.brooklyn.util.collections.MutableMap;
+import org.apache.brooklyn.util.exceptions.Exceptions;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -50,7 +51,20 @@ private static String getValuesForLogging(HttpSession session, Map<String, Strin
     }
 
     public static void logLogout(HttpSession session, String user, Map<String,String> values) {
-        session.setAttribute(LOGIN_LOGGED, false);
+        boolean error = false;
+        try {
+            session.setAttribute(LOGIN_LOGGED, false);
+        } catch (Exception e) {
+            Exceptions.propagateIfFatal(e);
+            // expected
+            error = true;
+        }
+        if (!error) {
+            log.warn("Expected error clearing logged attribute on session but session did not report an invalidated error: "+session);
+            values = MutableMap.copyOf(values).add("error", "WARN: unconfirmed; see log above");
+        }
+        // above is just to be safe; normally logout will invalidate session so the above will error with no side-effect
+
         log.debug(
                 "Logout of " +
                         (user==null ? "anonymous user" : "user: "+user) +

rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/DelegatingSecurityProvider.java

@@ -51,6 +51,11 @@ public DelegatingSecurityProvider(ManagementContext mgmt) {
 
     private SecurityProvider delegate;
 
+    public static SecurityProvider getTarget(SecurityProvider provider) {
+        if (provider instanceof DelegatingSecurityProvider) return getTarget( ((DelegatingSecurityProvider) provider).getDelegate() );
+        return provider;
+    }
+
     public synchronized SecurityProvider getDelegate() {
         if (delegate == null) {
             delegate = loadDelegate();

rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.java

@@ -31,6 +31,7 @@
 import org.apache.brooklyn.core.internal.BrooklynProperties;
 import org.apache.brooklyn.rest.BrooklynWebConfig;
 import org.apache.brooklyn.rest.security.PasswordHasher;
+import org.apache.brooklyn.util.text.Strings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -74,10 +75,10 @@ private synchronized void initialize() {
 
     @Override
     public boolean authenticate(HttpServletRequest request, Supplier<HttpSession> sessionSupplierOnSuccess, String user, String pass) throws SecurityProviderDeniedAuthentication {
-        if (user==null) return false;
+        if (Strings.isBlank(user)) return false;
         if (!allowAnyUserWithValidPass) {
             if (!allowedUsers.contains(user)) {
-                LOG.debug("REST rejecting unknown user "+user);
+                LOG.debug("REST authentication rejecting unknown user '"+user+"'");
                 return false;                
             }
         }