From a2ce62e1f360e9cdb2221cfa3b091c02bda857eb Mon Sep 17 00:00:00 2001
From: Laurens Vrijnsen <laurens.vrijnsen@sioux.eu>
Date: Fri, 22 Mar 2013 07:36:52 -0400
Subject: [PATCH] Added enforced HTTP Basic Authentication

---
 src/com/gitblit/wicket/pages/LogoutPage.java |   23 +++++++++++++++++++----
 1 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/LogoutPage.java b/src/com/gitblit/wicket/pages/LogoutPage.java
index 4690ad1..982de0e 100644
--- a/src/com/gitblit/wicket/pages/LogoutPage.java
+++ b/src/com/gitblit/wicket/pages/LogoutPage.java
@@ -16,21 +16,36 @@
 package com.gitblit.wicket.pages;
 
 import org.apache.wicket.markup.html.WebPage;
+import org.apache.wicket.protocol.http.WebRequest;
 import org.apache.wicket.protocol.http.WebResponse;
 
 import com.gitblit.GitBlit;
 import com.gitblit.models.UserModel;
 import com.gitblit.wicket.GitBlitWebSession;
 
-public class LogoutPage extends WebPage {
+public class LogoutPage extends BasePage {
 
 	public LogoutPage() {
+		super();
 		GitBlitWebSession session = GitBlitWebSession.get();
 		UserModel user = session.getUser();
 		GitBlit.self().setCookie((WebResponse) getResponse(), null);
 		GitBlit.self().logout(user);
 		session.invalidate();		
-		setRedirect(true);
-		setResponsePage(getApplication().getHomePage());
-	}
+		
+		/*
+		 * Now check whether the authentication was realized via the Authorization in the header.
+		 * If so, it is likely to be cached by the browser, and cannot be undone. Effectively, this means
+		 * that you cannot log out...
+		 */
+		if ( ((WebRequest)getRequest()).getHttpServletRequest().getHeader("Authorization") != null ) {
+			// authentication will be done via this route anyway, show a page to close the browser:
+			// this will be done by Wicket.
+			setupPage(null, getString("gb.logout"));
+			
+		} else {
+			setRedirect(true);
+			setResponsePage(getApplication().getHomePage());
+		} // not via WWW-Auth
+	} // LogoutPage
 }
\ No newline at end of file

--
Gitblit v1.9.1