You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Brad Whitaker (JIRA)" <ji...@apache.org> on 2009/02/07 08:56:59 UTC

[jira] Updated: (JSEC-57) After logout() a getSubject() call still honors remember me

     [ https://issues.apache.org/jira/browse/JSEC-57?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brad Whitaker updated JSEC-57:
------------------------------

    Attachment: WebRememberMeManager.java.forgetIdentity.JSEC-57.patch

I've attached a patch that I think will fix the issue. I haven't been able to deploy and test a WAR file yet but it seems to be working as expected in my devel environment (based on analyzing my log files).

My logs are consistent with Jeremy's post on the mailing list that there is an 'extra', unexpected call to getSubject() (presumably from a framework) that takes places after logout() but in the same request.

The patch modifies only class WebRemembermeManager.java. It attaches a "forget me" flag to the request in method forgetIdentity().  getRememberdPrincipals() is modified to look for the 'forget me'  flag and return null if the flag is present.

Feel free to modify or reject any part of the patch. The log statements don't need to remain.

> After logout() a getSubject() call still honors remember me
> -----------------------------------------------------------
>
>                 Key: JSEC-57
>                 URL: https://issues.apache.org/jira/browse/JSEC-57
>             Project: JSecurity
>          Issue Type: Bug
>          Components: Subject
>    Affects Versions: 0.9
>            Reporter: Jeremy Haile
>             Fix For: 1.0
>
>         Attachments: WebRememberMeManager.java.forgetIdentity.JSEC-57.patch
>
>
> This cropped up for me because Spring's FrameworkServlet calls request.getUserName() by default, which under the hood will call JSecurity's getSubject().  This causes a new subject to be created that honors the remember me cookie.  Instead - this new subject should be created without a remember me cookie being honored.
> One way we could work around this problem is by setting a request attribute when you logout that tells the RememberMeManager that it shouldn't honor the remember me cookie for the remainder of this request.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.