Ok Bertrand For now, I will focus on SAML Authentication Handler it’s version of the TokenStore ensuring it’s fixed there. I also hope to find time to work on the FormAuthenticationHandler.java cookie bug, which I posted more details and evidence in the ASF #Sling channel
Regards Cris > On Mar 31, 2021, at 6:51 AM, Bertrand Delacretaz <[email protected]> > wrote: > > wHi Cris, > > On Fri, Mar 26, 2021 at 6:31 PM Cris Rockwell <[email protected]> wrote: >> ...After analyzing and debugging Form Authentication Handler, I have still >> one doubt. Inspecting the value of cookie sling.formauth, >> the value changes constantly with every request... > > If you have time to work on this I would start by exposing that issue > with tests, to better understand it and to strictly control any > changes to that code. > > I think that's quite old code, had a look at the history and I don't > see logic-related changes in quite a long time. > > And the test coverage looks poor to non-existent unfortunately. There > are a few authentication-related tests in the > sling-org-apache-sling-launchpad-integration-tests module but I > haven't checked what they test exactly. > >> ... I think your tests are very helpful. However, do you think tests could >> encompass synchronization and thread safety?.. > > No, they are just basic functional tests. > >> ...Specifically concerning the bug sonar cloud reported about volatile >> array... > > I don't know what's best there, if the problem can be demonstrated by > "hammer this thing for some time" tests that would be great but that's > probably not trivial. > > Otherwise best might be to start a new thread here specific to that > question, other Sling committers might have a more informed opinion > than mine. > > HTH, > -Bertrand
