Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-8710

AbstractLoginModule#logout() must not remove 'foreign' principals/credentials

    XMLWordPrintableJSON

Details

    Description

      See https://github.com/apache/jackrabbit-oak/blob/9569d659f0655d3ba16c1cfe1fbb5f53959f701f/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java#L189:

      The criterion for logout() to succeed is

      !subject.getPrincipals().isEmpty() && !subject.getPublicCredentials(Credentials.class).isEmpty()

      This did not work in a case where the subject was created by a thread handling an authenticated JMX connection (and later passed on to other threads due to AccessControlContext inheritage).

      I'd propose to make logout() succeed unconditionally, but I'm not entirely sure about side effects.

      Attachments

        1. logout.png
          180 kB
          Manfred Baedke
        2. OAK-8710.patch
          58 kB
          Angela Schreiber

        Issue Links

          is blocked by

          Bug - A problem which impairs or prevents the functions of the product. OAK-8803 AbstractLoginModule and subclasses: successful commit must not clear state information required for successful logout

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. OAK-8763 LoginContextProviderImpl uses any subject found in the AccessControlContext.

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. OAK-8800 TokenLoginModule does not add principals from subject to AuthInfo

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. OAK-8801 LoginModuleImpl will not populate auth info if subject is readonly

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. OAK-8802 ExternalLoginModule.commit will fail if no principals can be resolved for externalUser

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. OAK-8804 AuthInfoImpl: add constructor with iterable-principals instead of set

          • Major - Major loss of function.
          • Closed
          supercedes

          Bug - A problem which impairs or prevents the functions of the product. OAK-8404 AbstractLoginModule#logout() may fail for impersonated users whose subject provides admin credentials

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              angela Angela Schreiber
              baedke Manfred Baedke
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: