concord-server: invalidate session on failed login

server/impl/src/main/java/com/walmartlabs/concord/server/boot/filters/ConcordAuthenticatingFilter.java

@@ -42,6 +42,7 @@
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import java.io.IOException;
@@ -139,14 +140,23 @@ protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, Ser
 
     @Override
     protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response) {
-        log.warn("onLoginFailure ['{}'] -> login failed ({}): {}", token, request.getRemoteAddr(), e.getMessage());
+        log.debug("onLoginFailure ['{}'] -> login failed ({}): {}", token, request.getRemoteAddr(), e.getMessage());
         failedAuths.mark();
 
         Subject s = ThreadContext.getSubject();
         if (s != null) {
             s.logout();
         }
 
+        HttpSession session = ((HttpServletRequest) request).getSession(false);
+        if (session != null) {
+            session.invalidate();
+
+            // remove JSESSIONID cookie
+            HttpServletResponse resp = WebUtils.toHttp(response);
+            resp.addHeader("Set-Cookie", "JSESSIONID=; Path=/; HttpOnly");
+        }
+
         return super.onLoginFailure(token, e, request, response);
     }
 

server/plugins/oidc/src/main/java/com/walmartlabs/concord/server/plugins/oidc/OidcCallbackFilter.java

@@ -20,11 +20,13 @@
  * =====
  */
 
+import org.apache.shiro.authz.AuthorizationException;
 import org.apache.shiro.web.util.WebUtils;
 import org.pac4j.core.config.Config;
 import org.pac4j.core.context.JEEContext;
 import org.pac4j.core.context.session.SessionStore;
 import org.pac4j.core.engine.CallbackLogic;
+import org.pac4j.core.exception.TechnicalException;
 import org.pac4j.core.util.Pac4jConstants;
 
 import javax.inject.Inject;
@@ -51,7 +53,7 @@ public OidcCallbackFilter(PluginConfiguration cfg,
 
     @Override
     @SuppressWarnings("unchecked")
-    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException {
         HttpServletRequest req = WebUtils.toHttp(request);
         HttpServletResponse resp = WebUtils.toHttp(response);
 
@@ -67,8 +69,12 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
             postLoginUrl = cfg.getAfterLoginUrl();
         }
 
-        CallbackLogic<?, JEEContext> callback = pac4jConfig.getCallbackLogic();
-        callback.perform(context, pac4jConfig, pac4jConfig.getHttpActionAdapter(), postLoginUrl, true, false, true, OidcPluginModule.CLIENT_NAME);
+        try {
+            CallbackLogic<?, JEEContext> callback = pac4jConfig.getCallbackLogic();
+            callback.perform(context, pac4jConfig, pac4jConfig.getHttpActionAdapter(), postLoginUrl, true, false, true, OidcPluginModule.CLIENT_NAME);
+        } catch (TechnicalException e) {
+            throw new AuthorizationException("OIDC callback error: " + e.getMessage());
+        }
     }
 
     @Override