Login-logout-login scenario
---------------------------
Key: JSEC-22
URL: https://issues.apache.org/jira/browse/JSEC-22
Project: JSecurity
Issue Type: Improvement
Components: Authentication (log-in)
Reporter: Grzegorz Borkowski
Priority: Minor
Consider following code (used in JUnit test):
Subject currentUser = SecurityUtils.getSubject();
//login as user with some permissions
currentUser.login(new UsernamePasswordToken("empl1", "pass1"));
//call some protected function
currentUser.logout();
// now use user without required premissions
currentUser.login(new UsernamePasswordToken("testUser", "blah"));
//call protected method - should throw UnaauthorizedException
This code looks ok, but it will not work. It will throw NPE on the line with
second login() call.
This is beacuse logout() method will clear the securityManager field in
currentUser object, and the next login() call will call the method on this
securityManager, rising NPE.
It would be better if we allow somehow for such scenario - open question is
how? At this moment the currentUser object after logout() method becomes
completely useless.
(Current workaround: after calling logout() and before second call to login()
you have to replace currentUser object:
currentUser = SecurityUtils.getSubject();
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
