Make AuthCheckFilter's destroy a no-op

Fishbowler · Fishbowler · commit 71a1ff8d67c8 · 2026-03-04T22:57:36.000Z
This is called when the AdminConsolePlugin restarts (by PluginServlet). It wipes all exclusions that have been registered, requiring plugins to re-register them. This change retains the static list of excludes. Plugins remain responsible for unregistering their excludes, which they should have been doing anyway, rather than relying on an eventual restart of the AdminConsole.
diff --git a/xmppserver/src/main/java/org/jivesoftware/admin/AuthCheckFilter.java b/xmppserver/src/main/java/org/jivesoftware/admin/AuthCheckFilter.java
@@ -316,8 +316,11 @@ private boolean authUserFromRequest(final HttpServletRequest request) {
 
     @Override
     public void destroy() {
-        // reset excludes to an empty set to prevent state carry over
-        excludes = Collections.newSetFromMap(new ConcurrentHashMap<>());
+        // Intentionally left empty. The static 'excludes' set is shared across filter instances
+        // so that plugin-registered excludes survive admin-console restarts. Plugins are
+        // responsible for calling removeExclude() in their destroyPlugin() lifecycle.
+        // Web.xml excludes are re-added by init() on each restart (Set semantics prevent duplicates).
+        // Setup-mode excludes are cleaned up explicitly in AdminConsolePlugin.startup().
     }
 
     private String getRedirectURL(HttpServletRequest request, String loginPage,
diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java b/xmppserver/src/main/java/org/jivesoftware/openfire/container/AdminConsolePlugin.java
@@ -283,8 +283,12 @@ protected void startup() {
         try {
             adminServer.start(); // excludes initialised
 
-            if(XMPPServer.getInstance().isSetupMode()) {
+            if (XMPPServer.getInstance().isSetupMode()) {
                 AuthCheckFilter.loadSetupExcludes();
+            } else {
+                // Explicitly remove setup-only excludes. If the admin console is restarting
+                // after setup completion, destroy() no longer clears them automatically.
+                Arrays.stream(JiveGlobals.setupExcludePaths).forEach(AuthCheckFilter::removeExclude);
             }
 
             // Log the ports that the admin server is listening on.
