Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-5675

Logout only called if AuthenticationHandler is registered to "/"

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: Auth Core 1.3.14
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:

      Description

      In SlingAuthenticator.logout() only the AuthenticationHandlers which are registered on paths which are roots of SlingAuthenticator.getHandlerSelectionPath() are selected.

      This path should either be taken from the servlet path, or will be read from the Authenticator.LOGIN_RESOURCE request attribute if it is present.

      Now, in LogoutServlet.service() the LOGIN_RESOURCE is always set to it's default value ("/") by calling AuthUtil.setLoginResourceAttribute().

      As a result, dropCredentials() will only be called on authentication handlers which are registered to "/".

      My expectation is that the selection of logout handlers should be independent of their registration paths, in order to allow a POST to /system/sling/logout have all registered handlers drop credentials.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              chaotic Lars Krapf
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: