concord-server: invalidate session on failed login

walmartlabs · Jan 3, 2024 · 1b0415a · 1b0415a
1 parent 72e7c2e
commit 1b0415a
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/...rc/main/java/com/walmartlabs/concord/server/boot/filters/ConcordAuthenticatingFilter.java b/...rc/main/java/com/walmartlabs/concord/server/boot/filters/ConcordAuthenticatingFilter.java
@@ -42,6 +42,7 @@
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import java.io.IOException;
@@ -147,6 +148,11 @@ protected boolean onLoginFailure(AuthenticationToken token, AuthenticationExcept
             s.logout();
         }
 
+        HttpSession session = ((HttpServletRequest) request).getSession(false);
+        if (session != null) {
+            session.invalidate();
+        }
+
         return super.onLoginFailure(token, e, request, response);
     }