Alex Astapchuk wrote: > Hi Stepan, all, > >> I think the spec. statement: "A LoginContext should not be used to >> authenticate more than one Subject." was taken too strict: reusing >> LoginContext object to get the same set of credentials seemed odd. > > The decision was mostly about resources. > > Indeed, the spec does not specify behavior of LoginContext. > > However, the spec is more or less clear in what should the > Login*Module*-s do in response to login/logout/etc. > It states 'login() saves result ...'. It does not warn with > anything like 'check previous state and clean up resources > from previous successful logins'. > The resource clean up is explicitly for abort() and logout().
The spec might not say so explicitly, but cleaning up the resources before attempting another login would seem like a reasonable thing to do. >>> I consider RI's behavior is more reasonable. > > I would say it's more dangerous. > The invocation of login() on already logged LoginModule-s > may easily produce a resource leak. > Presuming the authentication is normally not a too frequent > task, such a leak would be really hard to discover and hunt. I don't see why we would have to suffer the leak -- if the state changes are made via API then we have the opportunity to fix things first. Regards, Tim -- Tim Ellison ([EMAIL PROTECTED]) IBM Java technology centre, UK. --------------------------------------------------------------------- Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
