[Bug 60380] New: HttpServletRequest#logout() never calls TomcatPrincipal#logout()

bugzilla Wed, 16 Nov 2016 02:30:07 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=60380


            Bug ID: 60380
           Summary: HttpServletRequest#logout() never calls
                    TomcatPrincipal#logout()
           Product: Tomcat 8
           Version: 8.5.x-trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Catalina
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ----

If the client code calls HttpServletRequest#logout(), it is delegated to
getContext().getAuthenticator().logout(this); but
AuthenticatorBase#logout(Request) never calls TomcatPrincipal#logout() to free
resources. The only spot where this method is called is in
StandardSession#expire(boolean).

A completely request-based application cannot free the principal without ugly
hacks.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 60380] New: HttpServletRequest#logout() never calls TomcatPrincipal#logout()

Reply via email to