Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
None
-
None
Description
The criterion for logout() to succeed is
!subject.getPrincipals().isEmpty() && !subject.getPublicCredentials(Credentials.class).isEmpty()
This did not work in a case where the subject was created by a thread handling an authenticated JMX connection (and later passed on to other threads due to AccessControlContext inheritage).
I'd propose to make logout() succeed unconditionally, but I'm not entirely sure about side effects.
Attachments
Attachments
Issue Links
- is blocked by
-
OAK-8803 AbstractLoginModule and subclasses: successful commit must not clear state information required for successful logout
- Closed
- is related to
-
OAK-8763 LoginContextProviderImpl uses any subject found in the AccessControlContext.
- Resolved
-
OAK-8800 TokenLoginModule does not add principals from subject to AuthInfo
- Closed
-
OAK-8801 LoginModuleImpl will not populate auth info if subject is readonly
- Closed
-
OAK-8802 ExternalLoginModule.commit will fail if no principals can be resolved for externalUser
- Closed
-
OAK-8804 AuthInfoImpl: add constructor with iterable-principals instead of set
- Closed
- supercedes
-
OAK-8404 AbstractLoginModule#logout() may fail for impersonated users whose subject provides admin credentials
- Resolved