You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Jeremy Haile (JIRA)" <ji...@apache.org> on 2009/02/07 01:40:59 UTC
[jira] Created: (JSEC-57) After logout() a getSubject() call still
honors remember me
After logout() a getSubject() call still honors remember me
-----------------------------------------------------------
Key: JSEC-57
URL: https://issues.apache.org/jira/browse/JSEC-57
Project: JSecurity
Issue Type: Bug
Components: Subject
Affects Versions: 0.9
Reporter: Jeremy Haile
Fix For: 1.0
This cropped up for me because Spring's FrameworkServlet calls request.getUserName() by default, which under the hood will call JSecurity's getSubject(). This causes a new subject to be created that honors the remember me cookie. Instead - this new subject should be created without a remember me cookie being honored.
One way we could work around this problem is by setting a request attribute when you logout that tells the RememberMeManager that it shouldn't honor the remember me cookie for the remainder of this request.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSEC-57) After logout() a getSubject() call
still honors remember me
Posted by "Les Hazlewood (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSEC-57?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12671473#action_12671473 ]
Les Hazlewood commented on JSEC-57:
-----------------------------------
I think an appropriate solution for this issue is to set a request attribute that indicates the user has called logout during the request, e.g. IS_LOGGED_OUT key, Boolean object as the value. Both the WebRememberMeManager and the JSecurityHttpServletRequest would check for the same attribute to alter logic for rememberMe and getUserName, respectively.
I think getUserName should return null after a logout, instead of creating a new Subject and Session which would result otherwise. I think an end user has filed another issue recently (JSEC-58?) that is related to this, which causes a new session to be created unnecessarily.
> After logout() a getSubject() call still honors remember me
> -----------------------------------------------------------
>
> Key: JSEC-57
> URL: https://issues.apache.org/jira/browse/JSEC-57
> Project: JSecurity
> Issue Type: Bug
> Components: Subject
> Affects Versions: 0.9
> Reporter: Jeremy Haile
> Fix For: 1.0
>
> Attachments: WebRememberMeManager.java.forgetIdentity.JSEC-57.patch
>
>
> This cropped up for me because Spring's FrameworkServlet calls request.getUserName() by default, which under the hood will call JSecurity's getSubject(). This causes a new subject to be created that honors the remember me cookie. Instead - this new subject should be created without a remember me cookie being honored.
> One way we could work around this problem is by setting a request attribute when you logout that tells the RememberMeManager that it shouldn't honor the remember me cookie for the remainder of this request.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (JSEC-57) After logout() a getSubject() call still
honors remember me
Posted by "Brad Whitaker (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSEC-57?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brad Whitaker updated JSEC-57:
------------------------------
Attachment: WebRememberMeManager.java.forgetIdentity.JSEC-57.patch
I've attached a patch that I think will fix the issue. I haven't been able to deploy and test a WAR file yet but it seems to be working as expected in my devel environment (based on analyzing my log files).
My logs are consistent with Jeremy's post on the mailing list that there is an 'extra', unexpected call to getSubject() (presumably from a framework) that takes places after logout() but in the same request.
The patch modifies only class WebRemembermeManager.java. It attaches a "forget me" flag to the request in method forgetIdentity(). getRememberdPrincipals() is modified to look for the 'forget me' flag and return null if the flag is present.
Feel free to modify or reject any part of the patch. The log statements don't need to remain.
> After logout() a getSubject() call still honors remember me
> -----------------------------------------------------------
>
> Key: JSEC-57
> URL: https://issues.apache.org/jira/browse/JSEC-57
> Project: JSecurity
> Issue Type: Bug
> Components: Subject
> Affects Versions: 0.9
> Reporter: Jeremy Haile
> Fix For: 1.0
>
> Attachments: WebRememberMeManager.java.forgetIdentity.JSEC-57.patch
>
>
> This cropped up for me because Spring's FrameworkServlet calls request.getUserName() by default, which under the hood will call JSecurity's getSubject(). This causes a new subject to be created that honors the remember me cookie. Instead - this new subject should be created without a remember me cookie being honored.
> One way we could work around this problem is by setting a request attribute when you logout that tells the RememberMeManager that it shouldn't honor the remember me cookie for the remainder of this request.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (JSEC-57) After logout() a getSubject() call still
honors remember me
Posted by "Les Hazlewood (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSEC-57?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Les Hazlewood resolved JSEC-57.
-------------------------------
Resolution: Fixed
Assignee: Les Hazlewood
Finally able to finish this one. I wasn't able to use the patch as the request attribute indicating the identity has been removed isn't specific to RememberMe functionality - it is used elsewhere as well, so I needed to ensure that it would function even if RememberMe wasn't enabled but the user still logged out during a request.
> After logout() a getSubject() call still honors remember me
> -----------------------------------------------------------
>
> Key: JSEC-57
> URL: https://issues.apache.org/jira/browse/JSEC-57
> Project: JSecurity
> Issue Type: Bug
> Components: Subject
> Affects Versions: 0.9
> Reporter: Jeremy Haile
> Assignee: Les Hazlewood
> Fix For: 1.0
>
> Attachments: WebRememberMeManager.java.forgetIdentity.JSEC-57.patch
>
>
> This cropped up for me because Spring's FrameworkServlet calls request.getUserName() by default, which under the hood will call JSecurity's getSubject(). This causes a new subject to be created that honors the remember me cookie. Instead - this new subject should be created without a remember me cookie being honored.
> One way we could work around this problem is by setting a request attribute when you logout that tells the RememberMeManager that it shouldn't honor the remember me cookie for the remainder of this request.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Moved: (KI-4) After logout() a getSubject() call still
honors remember me
Posted by "Alan Cabrera (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/KI-4?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alan Cabrera moved JSEC-57 to KI-4:
-----------------------------------
Fix Version/s: (was: 1.0)
Component/s: (was: Subject)
Affects Version/s: (was: 0.9)
Key: KI-4 (was: JSEC-57)
Project: Ki (was: JSecurity)
> After logout() a getSubject() call still honors remember me
> -----------------------------------------------------------
>
> Key: KI-4
> URL: https://issues.apache.org/jira/browse/KI-4
> Project: Ki
> Issue Type: Bug
> Reporter: Jeremy Haile
> Assignee: Les Hazlewood
> Attachments: WebRememberMeManager.java.forgetIdentity.JSEC-57.patch
>
>
> This cropped up for me because Spring's FrameworkServlet calls request.getUserName() by default, which under the hood will call JSecurity's getSubject(). This causes a new subject to be created that honors the remember me cookie. Instead - this new subject should be created without a remember me cookie being honored.
> One way we could work around this problem is by setting a request attribute when you logout that tells the RememberMeManager that it shouldn't honor the remember me cookie for the remainder of this request.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.