You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Grzegorz Borkowski (JIRA)" <ji...@apache.org> on 2008/10/17 17:14:45 UTC

[jira] Created: (JSEC-22) Login-logout-login scenario

Login-logout-login scenario
---------------------------

                 Key: JSEC-22
                 URL: https://issues.apache.org/jira/browse/JSEC-22
             Project: JSecurity
          Issue Type: Improvement
          Components: Authentication (log-in)
            Reporter: Grzegorz Borkowski
            Priority: Minor


Consider following code (used in JUnit test):

Subject currentUser = SecurityUtils.getSubject();
//login as user with some permissions
currentUser.login(new UsernamePasswordToken("empl1", "pass1"));
//call some protected function
 currentUser.logout();
 // now use user without required premissions
  currentUser.login(new UsernamePasswordToken("testUser", "blah"));
//call protected method - should throw UnaauthorizedException

This code looks ok, but it will not work. It will throw NPE on the line with second login() call.
This is beacuse logout() method will clear the securityManager field in currentUser object, and the next login() call will call the method on this securityManager, rising NPE.

It would be better if we allow somehow for such scenario - open question is how? At this moment the currentUser object after logout() method becomes completely useless.

(Current workaround: after calling logout() and before second call to login() you have to replace currentUser object:
currentUser = SecurityUtils.getSubject();

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Moved: (KI-47) Login-logout-login scenario

Posted by "Alan Cabrera (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/KI-47?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alan Cabrera moved JSEC-22 to KI-47:
------------------------------------

        Fix Version/s:     (was: 1.0)
          Component/s:     (was: Authentication (log-in))
    Affects Version/s:     (was: 1.0)
                  Key: KI-47  (was: JSEC-22)
              Project: Ki  (was: JSecurity)

> Login-logout-login scenario
> ---------------------------
>
>                 Key: KI-47
>                 URL: https://issues.apache.org/jira/browse/KI-47
>             Project: Ki
>          Issue Type: Improvement
>            Reporter: Grzegorz Borkowski
>            Assignee: Les Hazlewood
>            Priority: Minor
>
> Consider following code (used in JUnit test):
> Subject currentUser = SecurityUtils.getSubject();
> //login as user with some permissions
> currentUser.login(new UsernamePasswordToken("empl1", "pass1"));
> //call some protected function
>  currentUser.logout();
>  // now use user without required premissions
>   currentUser.login(new UsernamePasswordToken("testUser", "blah"));
> //call protected method - should throw UnaauthorizedException
> This code looks ok, but it will not work. It will throw NPE on the line with second login() call.
> This is beacuse logout() method will clear the securityManager field in currentUser object, and the next login() call will call the method on this securityManager, rising NPE.
> It would be better if we allow somehow for such scenario - open question is how? At this moment the currentUser object after logout() method becomes completely useless.
> (Current workaround: after calling logout() and before second call to login() you have to replace currentUser object:
> currentUser = SecurityUtils.getSubject();

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (JSEC-22) Login-logout-login scenario

Posted by "Les Hazlewood (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JSEC-22?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood updated JSEC-22:
------------------------------

        Fix Version/s: 1.0
    Affects Version/s: 1.0

> Login-logout-login scenario
> ---------------------------
>
>                 Key: JSEC-22
>                 URL: https://issues.apache.org/jira/browse/JSEC-22
>             Project: JSecurity
>          Issue Type: Improvement
>          Components: Authentication (log-in)
>    Affects Versions: 1.0
>            Reporter: Grzegorz Borkowski
>            Priority: Minor
>             Fix For: 1.0
>
>
> Consider following code (used in JUnit test):
> Subject currentUser = SecurityUtils.getSubject();
> //login as user with some permissions
> currentUser.login(new UsernamePasswordToken("empl1", "pass1"));
> //call some protected function
>  currentUser.logout();
>  // now use user without required premissions
>   currentUser.login(new UsernamePasswordToken("testUser", "blah"));
> //call protected method - should throw UnaauthorizedException
> This code looks ok, but it will not work. It will throw NPE on the line with second login() call.
> This is beacuse logout() method will clear the securityManager field in currentUser object, and the next login() call will call the method on this securityManager, rising NPE.
> It would be better if we allow somehow for such scenario - open question is how? At this moment the currentUser object after logout() method becomes completely useless.
> (Current workaround: after calling logout() and before second call to login() you have to replace currentUser object:
> currentUser = SecurityUtils.getSubject();

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (JSEC-22) Login-logout-login scenario

Posted by "Les Hazlewood (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JSEC-22?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood resolved JSEC-22.
-------------------------------

    Resolution: Fixed
      Assignee: Les Hazlewood

Fixed with accompanying unit test.  Subject can login/logout as many times as desired, and JavaDoc was updated to reflect this.  Also see the DefaultSecurityManagerTest.testSubjectReuseAfterLogout() unit test for verification.

> Login-logout-login scenario
> ---------------------------
>
>                 Key: JSEC-22
>                 URL: https://issues.apache.org/jira/browse/JSEC-22
>             Project: JSecurity
>          Issue Type: Improvement
>          Components: Authentication (log-in)
>    Affects Versions: 1.0
>            Reporter: Grzegorz Borkowski
>            Assignee: Les Hazlewood
>            Priority: Minor
>             Fix For: 1.0
>
>
> Consider following code (used in JUnit test):
> Subject currentUser = SecurityUtils.getSubject();
> //login as user with some permissions
> currentUser.login(new UsernamePasswordToken("empl1", "pass1"));
> //call some protected function
>  currentUser.logout();
>  // now use user without required premissions
>   currentUser.login(new UsernamePasswordToken("testUser", "blah"));
> //call protected method - should throw UnaauthorizedException
> This code looks ok, but it will not work. It will throw NPE on the line with second login() call.
> This is beacuse logout() method will clear the securityManager field in currentUser object, and the next login() call will call the method on this securityManager, rising NPE.
> It would be better if we allow somehow for such scenario - open question is how? At this moment the currentUser object after logout() method becomes completely useless.
> (Current workaround: after calling logout() and before second call to login() you have to replace currentUser object:
> currentUser = SecurityUtils.getSubject();

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.