Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-5675

Logout only called if AuthenticationHandler is registered to "/"

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Won't Fix
    • Auth Core 1.3.14
    • None
    • Authentication

    Description

      In SlingAuthenticator.logout() only the AuthenticationHandlers which are registered on paths which are roots of SlingAuthenticator.getHandlerSelectionPath() are selected.

      This path should either be taken from the servlet path, or will be read from the Authenticator.LOGIN_RESOURCE request attribute if it is present.

      Now, in LogoutServlet.service() the LOGIN_RESOURCE is always set to it's default value ("/") by calling AuthUtil.setLoginResourceAttribute().

      As a result, dropCredentials() will only be called on authentication handlers which are registered to "/".

      My expectation is that the selection of logout handlers should be independent of their registration paths, in order to allow a POST to /system/sling/logout have all registered handlers drop credentials.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            chaotic Lars Krapf
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment