[
https://issues.apache.org/jira/browse/SLING-5675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15261912#comment-15261912
]
Antonio Sanso commented on SLING-5675:
--------------------------------------
[~chaotic] probably I was wrong this is not fixed. I will give another look
> Logout only called if AuthenticationHandler is registered to "/"
> ----------------------------------------------------------------
>
> Key: SLING-5675
> URL: https://issues.apache.org/jira/browse/SLING-5675
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Auth Core 1.3.14
> Reporter: Lars Krapf
> Labels: authentication
>
> In {{SlingAuthenticator.logout()}} only the AuthenticationHandlers which are
> registered on paths which are roots of
> {{SlingAuthenticator.getHandlerSelectionPath()}} are selected.
> This path should either be taken from the servlet path, or will be read from
> the {{Authenticator.LOGIN_RESOURCE}} request attribute _if it is present_.
> Now, in {{LogoutServlet.service()}} the LOGIN_RESOURCE is _always_ set to
> it's default value ("/") by calling {{AuthUtil.setLoginResourceAttribute()}}.
> As a result, {{dropCredentials()}} will only be called on authentication
> handlers which are registered to "/".
> My expectation is that the selection of logout handlers should be independent
> of their registration paths, in order to allow a POST to
> {{/system/sling/logout}} have *all* registered handlers drop credentials.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
