You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Carsten Ziegeler (Jira)" <ji...@apache.org> on 2023/05/04 15:41:00 UTC

[jira] [Resolved] (SLING-5675) Logout only called if AuthenticationHandler is registered to "/"

     [ https://issues.apache.org/jira/browse/SLING-5675?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Carsten Ziegeler resolved SLING-5675.
-------------------------------------
    Resolution: Won't Fix

> Logout only called if AuthenticationHandler is registered to "/"
> ----------------------------------------------------------------
>
>                 Key: SLING-5675
>                 URL: https://issues.apache.org/jira/browse/SLING-5675
>             Project: Sling
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: Auth Core 1.3.14
>            Reporter: Lars Krapf
>            Priority: Major
>              Labels: authentication
>
> In {{SlingAuthenticator.logout()}} only the AuthenticationHandlers which are registered on paths which are roots of {{SlingAuthenticator.getHandlerSelectionPath()}} are selected.
> This path should either be taken from the servlet path, or will be read from the {{Authenticator.LOGIN_RESOURCE}} request attribute _if it is present_.
> Now, in {{LogoutServlet.service()}} the LOGIN_RESOURCE is _always_ set to it's default value ("/") by calling {{AuthUtil.setLoginResourceAttribute()}}. 
> As a result, {{dropCredentials()}} will only be called on authentication handlers which are registered to "/". 
> My expectation is that the selection of logout handlers should be independent of their registration paths, in order to allow a POST to {{/system/sling/logout}} have *all* registered handlers drop credentials. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)