You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Carsten Ziegeler (Jira)" <ji...@apache.org> on 2023/05/04 15:41:00 UTC
[jira] [Resolved] (SLING-5675) Logout only called if AuthenticationHandler is registered to "/"
[ https://issues.apache.org/jira/browse/SLING-5675?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler resolved SLING-5675.
-------------------------------------
Resolution: Won't Fix
> Logout only called if AuthenticationHandler is registered to "/"
> ----------------------------------------------------------------
>
> Key: SLING-5675
> URL: https://issues.apache.org/jira/browse/SLING-5675
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Auth Core 1.3.14
> Reporter: Lars Krapf
> Priority: Major
> Labels: authentication
>
> In {{SlingAuthenticator.logout()}} only the AuthenticationHandlers which are registered on paths which are roots of {{SlingAuthenticator.getHandlerSelectionPath()}} are selected.
> This path should either be taken from the servlet path, or will be read from the {{Authenticator.LOGIN_RESOURCE}} request attribute _if it is present_.
> Now, in {{LogoutServlet.service()}} the LOGIN_RESOURCE is _always_ set to it's default value ("/") by calling {{AuthUtil.setLoginResourceAttribute()}}.
> As a result, {{dropCredentials()}} will only be called on authentication handlers which are registered to "/".
> My expectation is that the selection of logout handlers should be independent of their registration paths, in order to allow a POST to {{/system/sling/logout}} have *all* registered handlers drop credentials.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)