[
https://issues.apache.org/jira/browse/JSEC-57?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Les Hazlewood resolved JSEC-57.
-------------------------------
Resolution: Fixed
Assignee: Les Hazlewood
Finally able to finish this one. I wasn't able to use the patch as the request
attribute indicating the identity has been removed isn't specific to RememberMe
functionality - it is used elsewhere as well, so I needed to ensure that it
would function even if RememberMe wasn't enabled but the user still logged out
during a request.
> After logout() a getSubject() call still honors remember me
> -----------------------------------------------------------
>
> Key: JSEC-57
> URL: https://issues.apache.org/jira/browse/JSEC-57
> Project: JSecurity
> Issue Type: Bug
> Components: Subject
> Affects Versions: 0.9
> Reporter: Jeremy Haile
> Assignee: Les Hazlewood
> Fix For: 1.0
>
> Attachments: WebRememberMeManager.java.forgetIdentity.JSEC-57.patch
>
>
> This cropped up for me because Spring's FrameworkServlet calls
> request.getUserName() by default, which under the hood will call JSecurity's
> getSubject(). This causes a new subject to be created that honors the
> remember me cookie. Instead - this new subject should be created without a
> remember me cookie being honored.
> One way we could work around this problem is by setting a request attribute
> when you logout that tells the RememberMeManager that it shouldn't honor the
> remember me cookie for the remainder of this request.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
