You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Les Hazlewood (JIRA)" <ji...@apache.org> on 2009/02/23 07:53:01 UTC
[jira] Resolved: (JSEC-57) After logout() a getSubject() call still
honors remember me
[ https://issues.apache.org/jira/browse/JSEC-57?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Les Hazlewood resolved JSEC-57.
-------------------------------
Resolution: Fixed
Assignee: Les Hazlewood
Finally able to finish this one. I wasn't able to use the patch as the request attribute indicating the identity has been removed isn't specific to RememberMe functionality - it is used elsewhere as well, so I needed to ensure that it would function even if RememberMe wasn't enabled but the user still logged out during a request.
> After logout() a getSubject() call still honors remember me
> -----------------------------------------------------------
>
> Key: JSEC-57
> URL: https://issues.apache.org/jira/browse/JSEC-57
> Project: JSecurity
> Issue Type: Bug
> Components: Subject
> Affects Versions: 0.9
> Reporter: Jeremy Haile
> Assignee: Les Hazlewood
> Fix For: 1.0
>
> Attachments: WebRememberMeManager.java.forgetIdentity.JSEC-57.patch
>
>
> This cropped up for me because Spring's FrameworkServlet calls request.getUserName() by default, which under the hood will call JSecurity's getSubject(). This causes a new subject to be created that honors the remember me cookie. Instead - this new subject should be created without a remember me cookie being honored.
> One way we could work around this problem is by setting a request attribute when you logout that tells the RememberMeManager that it shouldn't honor the remember me cookie for the remainder of this request.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.