Merge pull request #303 from michael-doubez/logout-issues

Ensure login doesn't redirect to logout URL

src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

@@ -855,13 +855,25 @@ protected AuthorizationCodeFlow buildAuthorizationCodeFlow() {
         return builder.build();
     }
 
+    /**
+     * Validate post-login redirect URL
+     *
+     * For security reasons, the login must not redirect outside Jenkins
+     * realm. For useablility reason, the logout page should redirect to
+     * root url.
+     */
     protected String getValidRedirectUrl(String url) {
         final String rootUrl = getRootUrl();
         if (url != null && !url.isEmpty()) {
             try {
                 final String redirectUrl = new URL(new URL(rootUrl), url).toString();
                 // check redirect url stays within rootUrl
                 if (redirectUrl.startsWith(rootUrl)) {
+                    // check if redirect is logout page
+                    final String logoutUrl = new URL(new URL(rootUrl), OicLogoutAction.POST_LOGOUT_URL).toString();
+                    if (redirectUrl.startsWith(logoutUrl)) {
+                        return rootUrl;
+                    }
                     return redirectUrl;
                 }
             } catch (MalformedURLException e) {

src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmTest.java

@@ -97,6 +97,8 @@ public void testGetValidRedirectUrl() throws IOException {
         assertEquals(rootUrl + "foo", realm.getValidRedirectUrl(rootUrl + "foo"));
         assertEquals(rootUrl, realm.getValidRedirectUrl(null));
         assertEquals(rootUrl, realm.getValidRedirectUrl(""));
+
+        assertEquals(rootUrl, realm.getValidRedirectUrl(OicLogoutAction.POST_LOGOUT_URL));
     }
 
     @Test