From 8212379c31c7a9c55c369989118c17b6c8c524f4 Mon Sep 17 00:00:00 2001
From: Ziver Koc <ziver@koc.se>
Date: Fri, 10 Aug 2018 19:27:51 +0200
Subject: [PATCH] Fixed auth redirect loop

---
 src/zall/filter/AuthenticationFilter.java   | 16 ++++++++++------
 src/zall/manager/AuthenticationManager.java |  4 ++++
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/zall/filter/AuthenticationFilter.java b/src/zall/filter/AuthenticationFilter.java
index 300aa3f..f70e841 100755
--- a/src/zall/filter/AuthenticationFilter.java
+++ b/src/zall/filter/AuthenticationFilter.java
@@ -39,13 +39,17 @@ public class AuthenticationFilter implements Filter {
         if (AuthenticationManager.isValid(user, (HttpServletRequest) request)) {
             logger.finest("User already authenticated, continuing filter chain.");
             chain.doFilter(request, response);
-        } else if (isWhitelisted(requestURI)){
-            logger.finer("Continuing filtering chain for whitelisted page: " + requestURI);
-            chain.doFilter(request, response);
         } else {
-            // do not continue the filter pipeline forward to login page
-            logger.fine("User not authenticated, redirecting to login page.");
-            ZalleryServlet.redirect(LoginServlet.URI, (HttpServletRequest) request, (HttpServletResponse) response);
+            AuthenticationManager.rmUserSession(((HttpServletRequest) request).getSession());
+
+            if (isWhitelisted(requestURI)){
+                logger.finer("Continuing filtering chain for whitelisted page: " + requestURI);
+                chain.doFilter(request, response);
+            } else {
+                // do not continue the filter pipeline forward to login page
+                logger.fine("User not authenticated, redirecting to login page.");
+                ZalleryServlet.redirect(LoginServlet.URI, (HttpServletRequest) request, (HttpServletResponse) response);
+            }
         }
     }
 
diff --git a/src/zall/manager/AuthenticationManager.java b/src/zall/manager/AuthenticationManager.java
index eb956a1..48079d9 100755
--- a/src/zall/manager/AuthenticationManager.java
+++ b/src/zall/manager/AuthenticationManager.java
@@ -99,6 +99,9 @@ public class AuthenticationManager {
         session.setAttribute(SESSION_KEY_USER_OBJ, user);
     }
 
+    /**
+     * Logout user and clear session.
+     */
     public static void rmUserSession(HttpSession session) {
         session.removeAttribute(SESSION_KEY_USER_OBJ);
     }
@@ -122,6 +125,7 @@ public class AuthenticationManager {
                     logger.fine("Invalid user(" + user.getEmail() + "), email not verified");
                     return false;
                 }
+                /* FALLTHROUGH */
             case COOKIE:
                 if (user.getCookieHash() == null || user.getCookieHash().isEmpty()) {
                     logger.fine("Invalid user(" + user.getEmail() + "), null or empty cookie hash.");