You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Les Hazlewood (JIRA)" <ji...@apache.org> on 2009/01/27 06:30:59 UTC
[jira] Resolved: (JSEC-22) Login-logout-login scenario
[ https://issues.apache.org/jira/browse/JSEC-22?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Les Hazlewood resolved JSEC-22.
-------------------------------
Resolution: Fixed
Assignee: Les Hazlewood
Fixed with accompanying unit test. Subject can login/logout as many times as desired, and JavaDoc was updated to reflect this. Also see the DefaultSecurityManagerTest.testSubjectReuseAfterLogout() unit test for verification.
> Login-logout-login scenario
> ---------------------------
>
> Key: JSEC-22
> URL: https://issues.apache.org/jira/browse/JSEC-22
> Project: JSecurity
> Issue Type: Improvement
> Components: Authentication (log-in)
> Affects Versions: 1.0
> Reporter: Grzegorz Borkowski
> Assignee: Les Hazlewood
> Priority: Minor
> Fix For: 1.0
>
>
> Consider following code (used in JUnit test):
> Subject currentUser = SecurityUtils.getSubject();
> //login as user with some permissions
> currentUser.login(new UsernamePasswordToken("empl1", "pass1"));
> //call some protected function
> currentUser.logout();
> // now use user without required premissions
> currentUser.login(new UsernamePasswordToken("testUser", "blah"));
> //call protected method - should throw UnaauthorizedException
> This code looks ok, but it will not work. It will throw NPE on the line with second login() call.
> This is beacuse logout() method will clear the securityManager field in currentUser object, and the next login() call will call the method on this securityManager, rising NPE.
> It would be better if we allow somehow for such scenario - open question is how? At this moment the currentUser object after logout() method becomes completely useless.
> (Current workaround: after calling logout() and before second call to login() you have to replace currentUser object:
> currentUser = SecurityUtils.getSubject();
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.