You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Les Hazlewood (JIRA)" <ji...@apache.org> on 2009/01/27 06:30:59 UTC

[jira] Resolved: (JSEC-22) Login-logout-login scenario

     [ https://issues.apache.org/jira/browse/JSEC-22?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Les Hazlewood resolved JSEC-22.
-------------------------------

    Resolution: Fixed
      Assignee: Les Hazlewood

Fixed with accompanying unit test.  Subject can login/logout as many times as desired, and JavaDoc was updated to reflect this.  Also see the DefaultSecurityManagerTest.testSubjectReuseAfterLogout() unit test for verification.

> Login-logout-login scenario
> ---------------------------
>
>                 Key: JSEC-22
>                 URL: https://issues.apache.org/jira/browse/JSEC-22
>             Project: JSecurity
>          Issue Type: Improvement
>          Components: Authentication (log-in)
>    Affects Versions: 1.0
>            Reporter: Grzegorz Borkowski
>            Assignee: Les Hazlewood
>            Priority: Minor
>             Fix For: 1.0
>
>
> Consider following code (used in JUnit test):
> Subject currentUser = SecurityUtils.getSubject();
> //login as user with some permissions
> currentUser.login(new UsernamePasswordToken("empl1", "pass1"));
> //call some protected function
>  currentUser.logout();
>  // now use user without required premissions
>   currentUser.login(new UsernamePasswordToken("testUser", "blah"));
> //call protected method - should throw UnaauthorizedException
> This code looks ok, but it will not work. It will throw NPE on the line with second login() call.
> This is beacuse logout() method will clear the securityManager field in currentUser object, and the next login() call will call the method on this securityManager, rising NPE.
> It would be better if we allow somehow for such scenario - open question is how? At this moment the currentUser object after logout() method becomes completely useless.
> (Current workaround: after calling logout() and before second call to login() you have to replace currentUser object:
> currentUser = SecurityUtils.getSubject();

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.