You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Alan Cabrera (JIRA)" <ji...@apache.org> on 2009/03/06 14:59:57 UTC
[jira] Moved: (KI-47) Login-logout-login scenario
[ https://issues.apache.org/jira/browse/KI-47?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alan Cabrera moved JSEC-22 to KI-47:
------------------------------------
Fix Version/s: (was: 1.0)
Component/s: (was: Authentication (log-in))
Affects Version/s: (was: 1.0)
Key: KI-47 (was: JSEC-22)
Project: Ki (was: JSecurity)
> Login-logout-login scenario
> ---------------------------
>
> Key: KI-47
> URL: https://issues.apache.org/jira/browse/KI-47
> Project: Ki
> Issue Type: Improvement
> Reporter: Grzegorz Borkowski
> Assignee: Les Hazlewood
> Priority: Minor
>
> Consider following code (used in JUnit test):
> Subject currentUser = SecurityUtils.getSubject();
> //login as user with some permissions
> currentUser.login(new UsernamePasswordToken("empl1", "pass1"));
> //call some protected function
> currentUser.logout();
> // now use user without required premissions
> currentUser.login(new UsernamePasswordToken("testUser", "blah"));
> //call protected method - should throw UnaauthorizedException
> This code looks ok, but it will not work. It will throw NPE on the line with second login() call.
> This is beacuse logout() method will clear the securityManager field in currentUser object, and the next login() call will call the method on this securityManager, rising NPE.
> It would be better if we allow somehow for such scenario - open question is how? At this moment the currentUser object after logout() method becomes completely useless.
> (Current workaround: after calling logout() and before second call to login() you have to replace currentUser object:
> currentUser = SecurityUtils.getSubject();
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.