Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-8710

AbstractLoginModule#logout() must not remove 'foreign' principals/credentials

    XMLWordPrintableJSON

    Details

      Description

      See https://github.com/apache/jackrabbit-oak/blob/9569d659f0655d3ba16c1cfe1fbb5f53959f701f/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java#L189:

      The criterion for logout() to succeed is

      !subject.getPrincipals().isEmpty() && !subject.getPublicCredentials(Credentials.class).isEmpty()

      This did not work in a case where the subject was created by a thread handling an authenticated JMX connection (and later passed on to other threads due to AccessControlContext inheritage).

      I'd propose to make logout() succeed unconditionally, but I'm not entirely sure about side effects.

        Attachments

        1. logout.png
          180 kB
          Manfred Baedke
        2. OAK-8710.patch
          58 kB
          Angela Schreiber

          Issue Links

            Activity

              People

              • Assignee:
                angela Angela Schreiber
                Reporter:
                baedke Manfred Baedke
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: