[Prod] Implement SessionController zone path tests

fhanik · fhanik · commit bd13b7e00324 · 2026-02-07T09:45:23.000-08:00
diff --git a/docs/path-based-zones-endpoints-without-z-support.md b/docs/path-based-zones-endpoints-without-z-support.md
@@ -17,7 +17,7 @@ This document lists endpoints that do **not** yet have a dual path mapping for `
 4.  ✅ [Force password change (UI)](#4-force-password-change-ui)
 5.  ✅ [Logged out (UI)](#5-logged-out-ui)
 6.  ✅ [Home and error pages (UI)](#6-home-and-error-pages-ui)
-7.  ❌ [Session (UI)](#7-session-ui)
+7.  ✅ [Session (UI)](#7-session-ui)
 8.  ❌ [Invitations (UI + API)](#8-invitations-ui--api)
 9.  ❌ [Profile (UI)](#9-profile-ui)
 10. ❌ [Passcode (API / UI)](#10-passcode-api--ui)
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/SpringServletXmlSecurityConfiguration.java b/server/src/main/java/org/cloudfoundry/identity/uaa/SpringServletXmlSecurityConfiguration.java
@@ -64,8 +64,8 @@ public class SpringServletXmlSecurityConfiguration {
             "/saml_error",
             "/favicon.ico",
             "/oauth_error",
-            "/session",
-            "/session_management",
+            "/session", "/z/*/session",
+            "/session_management", "/z/*/session_management",
             "/oauth/token/.well-known/openid-configuration", "/z/*/oauth/token/.well-known/openid-configuration",
             "/.well-known/openid-configuration", "/z/*/.well-known/openid-configuration",
             "/logged_out", "/z/*/logged_out"
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/login/SessionController.java b/server/src/main/java/org/cloudfoundry/identity/uaa/login/SessionController.java
@@ -21,17 +21,19 @@
 @Controller
 public class SessionController {
 
-    @RequestMapping("/session")
-    public String session(Model model, @RequestParam String clientId, @RequestParam String messageOrigin) {
+    @RequestMapping({"/session", "/z/{subdomain}/session"})
+    public String session(Model model,
+            @RequestParam String clientId, @RequestParam String messageOrigin) {
         // We need to maintain this version of the session page to continue compatibility with the
         // original version of uaa-singular.
         model.addAttribute("clientId", clientId);
         model.addAttribute("messageOrigin", messageOrigin);
         return "session";
     }
 
-    @RequestMapping("/session_management")
-    public String sessionManagement(Model model, @RequestParam String clientId, @RequestParam String messageOrigin) {
+    @RequestMapping({"/session_management", "/z/{subdomain}/session_management"})
+    public String sessionManagement(Model model,
+            @RequestParam String clientId, @RequestParam String messageOrigin) {
         model.addAttribute("clientId", clientId);
         model.addAttribute("messageOrigin", messageOrigin);
         return "session_management";
