You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Julian Reschke (Jira)" <ji...@apache.org> on 2019/12/03 15:58:00 UTC

[jira] [Comment Edited] (OAK-8710) AbstractLoginModule#logout() must not remove 'foreign' principals/credentials

    [ https://issues.apache.org/jira/browse/OAK-8710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16987027#comment-16987027 ] 

Julian Reschke edited comment on OAK-8710 at 12/3/19 3:57 PM:
--------------------------------------------------------------

trunk: [r1870758|http://svn.apache.org/r1870758] [r1870559|http://svn.apache.org/r1870559] (1.20.0) [r1869749|http://svn.apache.org/r1869749] [r1869730|http://svn.apache.org/r1869730]


was (Author: reschke):
trunk: [r1870758|http://svn.apache.org/r1870758] [r1870559|http://svn.apache.org/r1870559] (1.20.0) [r1869749|http://svn.apache.org/r1869749] [r1869730|http://svn.apache.org/r1869730]

> AbstractLoginModule#logout() must not remove 'foreign' principals/credentials 
> ------------------------------------------------------------------------------
>
>                 Key: OAK-8710
>                 URL: https://issues.apache.org/jira/browse/OAK-8710
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-external, core, security-spi
>            Reporter: Manfred Baedke
>            Assignee: Angela Schreiber
>            Priority: Minor
>             Fix For: 1.22.0
>
>         Attachments: OAK-8710.patch, logout.png
>
>
> See https://github.com/apache/jackrabbit-oak/blob/9569d659f0655d3ba16c1cfe1fbb5f53959f701f/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java#L189:
> The criterion for logout() to succeed is
> {code}!subject.getPrincipals().isEmpty() && !subject.getPublicCredentials(Credentials.class).isEmpty(){code}
> This did not work in a case where the subject was created by a thread handling an authenticated JMX connection (and later passed on to other threads due to AccessControlContext inheritage).
> I'd propose to make logout() succeed unconditionally, but I'm not entirely sure about side effects.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)