[
https://issues.apache.org/jira/browse/KI-47?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alan Cabrera moved JSEC-22 to KI-47:
------------------------------------
Fix Version/s: (was: 1.0)
Component/s: (was: Authentication (log-in))
Affects Version/s: (was: 1.0)
Key: KI-47 (was: JSEC-22)
Project: Ki (was: JSecurity)
> Login-logout-login scenario
> ---------------------------
>
> Key: KI-47
> URL: https://issues.apache.org/jira/browse/KI-47
> Project: Ki
> Issue Type: Improvement
> Reporter: Grzegorz Borkowski
> Assignee: Les Hazlewood
> Priority: Minor
>
> Consider following code (used in JUnit test):
> Subject currentUser = SecurityUtils.getSubject();
> //login as user with some permissions
> currentUser.login(new UsernamePasswordToken("empl1", "pass1"));
> //call some protected function
> currentUser.logout();
> // now use user without required premissions
> currentUser.login(new UsernamePasswordToken("testUser", "blah"));
> //call protected method - should throw UnaauthorizedException
> This code looks ok, but it will not work. It will throw NPE on the line with
> second login() call.
> This is beacuse logout() method will clear the securityManager field in
> currentUser object, and the next login() call will call the method on this
> securityManager, rising NPE.
> It would be better if we allow somehow for such scenario - open question is
> how? At this moment the currentUser object after logout() method becomes
> completely useless.
> (Current workaround: after calling logout() and before second call to login()
> you have to replace currentUser object:
> currentUser = SecurityUtils.getSubject();
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
