Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Invalid
-
None
-
None
-
None
Description
LoginContextProviderImpl#getLoginContext(...) extracts the most recent subject from the AccessControlContext and then uses it for either a PreAuthContext or a JaasLoginContext. This is wrong, because there is no reason to assume that such a subject has anything to do with Oak. It particularly hurts when it's readonly, because JAAS will then silently fail to add principals and credentials.
We would need a way to identify pre-authenticated subjects and subjects that are not pre-authenticated should not be used to create a JaasLoginContext.
Attachments
Attachments
Issue Links
- relates to
-
OAK-8710 AbstractLoginModule#logout() must not remove 'foreign' principals/credentials
- Closed