You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Les Hazlewood (JIRA)" <ji...@apache.org> on 2009/01/26 06:40:59 UTC
[jira] Updated: (JSEC-22) Login-logout-login scenario
[ https://issues.apache.org/jira/browse/JSEC-22?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Les Hazlewood updated JSEC-22:
------------------------------
Fix Version/s: 1.0
Affects Version/s: 1.0
> Login-logout-login scenario
> ---------------------------
>
> Key: JSEC-22
> URL: https://issues.apache.org/jira/browse/JSEC-22
> Project: JSecurity
> Issue Type: Improvement
> Components: Authentication (log-in)
> Affects Versions: 1.0
> Reporter: Grzegorz Borkowski
> Priority: Minor
> Fix For: 1.0
>
>
> Consider following code (used in JUnit test):
> Subject currentUser = SecurityUtils.getSubject();
> //login as user with some permissions
> currentUser.login(new UsernamePasswordToken("empl1", "pass1"));
> //call some protected function
> currentUser.logout();
> // now use user without required premissions
> currentUser.login(new UsernamePasswordToken("testUser", "blah"));
> //call protected method - should throw UnaauthorizedException
> This code looks ok, but it will not work. It will throw NPE on the line with second login() call.
> This is beacuse logout() method will clear the securityManager field in currentUser object, and the next login() call will call the method on this securityManager, rising NPE.
> It would be better if we allow somehow for such scenario - open question is how? At this moment the currentUser object after logout() method becomes completely useless.
> (Current workaround: after calling logout() and before second call to login() you have to replace currentUser object:
> currentUser = SecurityUtils.getSubject();
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.