Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-8710

AbstractLoginModule#logout() must not remove 'foreign' principals/credentials

    XMLWordPrintableJSON

Details

    Description

      See https://github.com/apache/jackrabbit-oak/blob/9569d659f0655d3ba16c1cfe1fbb5f53959f701f/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java#L189:

      The criterion for logout() to succeed is

      !subject.getPrincipals().isEmpty() && !subject.getPublicCredentials(Credentials.class).isEmpty()

      This did not work in a case where the subject was created by a thread handling an authenticated JMX connection (and later passed on to other threads due to AccessControlContext inheritage).

      I'd propose to make logout() succeed unconditionally, but I'm not entirely sure about side effects.

      Attachments

        1. logout.png
          180 kB
          Manfred Baedke
        2. OAK-8710.patch
          58 kB
          Angela Schreiber

        Issue Links

          Activity

            People

              angela Angela Schreiber
              baedke Manfred Baedke
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: