You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Angela Schreiber (Jira)" <ji...@apache.org> on 2019/11/27 08:20:00 UTC
[jira] [Commented] (OAK-8803) AbstractLoginModule and subclasses:
successful commit must not clear state information required for successful
logout
[ https://issues.apache.org/jira/browse/OAK-8803?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16983271#comment-16983271 ]
Angela Schreiber commented on OAK-8803:
---------------------------------------
linking to OAK-8710. i will fix that issue independently in order to keep the fix for the logout as limited as possible.
> AbstractLoginModule and subclasses: successful commit must not clear state information required for successful logout
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: OAK-8803
> URL: https://issues.apache.org/jira/browse/OAK-8803
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external, core, security, security-spi
> Reporter: Angela Schreiber
> Assignee: Angela Schreiber
> Priority: Major
>
> while working OAK-8710 in noticed that the main reason for the initial patch not work was the fact that subclasses of {{{AbstractLoginModule}} call {{clearState}} upon successful {{commit}}. this essentially clears all state information that is needed for a successful logout later on.... on the other hand it is crucial that subclasses of {{AbstractLoginModule}} close the system-session that was used for looking up principals during the commit phase.
> proposed fix: add protected {{closeSystemSession}} method that can be used instead of {{clearState}} upon successful {{commit}}, leaving the {{clearState}} only for those cases where {{commit}} fails or {{abort}} is called, which require the complete state the be wiped out.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)