Is that because jBoss should call it but doesn't, or it shouldn't so it
doesn't ?
Doesn't that mean that it would give the wrong results given the following,
reasonable scenario:
1)User Edward logs in. Is currently assigned to role SalesManager.
2)ServerLoginModule binds role SalesManager to Edward.
3)Edward logs off jBoss (stays logged on to some other service so the
Subject remains in memory as Subject is shared across services).
4)Administrator modifies Edward's roles, removes SalesManager and adds
FinancialAdvisor and ComplianceOfficer.
5)User Edward logs in and ServerLoginModule binds role FinancialAdvisor and
ComplianceOfficer to Edward. However he still has the role of SalesManager
associated as well.
-----Original Message-----
From: Oleg Nitz [mailto:[EMAIL PROTECTED]]
Sent: 12 December 2000 11:12
To: jBoss
Subject: Re: [jBoss-User] Security Walkthrough/How To/Tutorial, first
cut
On Tuesday 12 December 2000 11:47, Kenworthy, Edward wrote:
> The current logout method does nothing. Reading the spec I think it should
> remove the credentials (and principals) it added during login.
[snip]
> What do you think ?
I think that logout() is never called on server LoginModule.
Oleg
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
