You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Angela Schreiber (Jira)" <ji...@apache.org> on 2019/11/27 08:19:00 UTC
[jira] [Created] (OAK-8803) AbstractLoginModule and subclasses:
successful commit must not clear state information required for successful
logout
Angela Schreiber created OAK-8803:
-------------------------------------
Summary: AbstractLoginModule and subclasses: successful commit must not clear state information required for successful logout
Key: OAK-8803
URL: https://issues.apache.org/jira/browse/OAK-8803
Project: Jackrabbit Oak
Issue Type: Bug
Components: auth-external, core, security, security-spi
Reporter: Angela Schreiber
Assignee: Angela Schreiber
while working OAK-8710 in noticed that the main reason for the initial patch not work was the fact that subclasses of {{{AbstractLoginModule}} call {{clearState}} upon successful {{commit}}. this essentially clears all state information that is needed for a successful logout later on.... on the other hand it is crucial that subclasses of {{AbstractLoginModule}} close the system-session that was used for looking up principals during the commit phase.
proposed fix: add protected {{closeSystemSession}} method that can be used instead of {{clearState}} upon successful {{commit}}, leaving the {{clearState}} only for those cases where {{commit}} fails or {{abort}} is called, which require the complete state the be wiped out.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)