[ https://issues.apache.org/jira/browse/OAK-8710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16967605#comment-16967605 ]
Angela Schreiber commented on OAK-8710: --------------------------------------- [~baedke], the complete quote from https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#logout says: {quote} the logout method is called to log out a Subject. This method removes Principals, and removes/destroys credentials associated with the Subject during the commit operation. This method should not touch those Principals or credentials previously existing in the Subject, or those added by other LoginModules. If the Subject has been marked read-only (the Subject's isReadOnly method returns true), then this method should only destroy credentials associated with the Subject during the commit operation (removing the credentials is not possible). If the Subject has been marked as read-only and the credentials associated with the Subject during the commit operation are not destroyable (they do not implement the Destroyable interface), then this method may throw a LoginException. The logout method should return true if logout succeeds, or otherwise throw a LoginException. {quote} my understanding of that is: - if the login failed, commit must not update the subject and thus the logout step must not succeed - if the login succeeds and commit updats the subject, logout should remove just those credentials/principals from the subject that have been added upon commit and return true if that succeeds. - in case the login/commit steps are missing the logout cannot succeed - also we need to have a test that verifies that only those principals/credentials of that particular loginmodule are removed and foreign principals/credentials are left untouched. > AbstractLoginModule#logout() may fail in the presence of unknown principals > --------------------------------------------------------------------------- > > Key: OAK-8710 > URL: https://issues.apache.org/jira/browse/OAK-8710 > Project: Jackrabbit Oak > Issue Type: Bug > Components: security-spi > Reporter: Manfred Baedke > Priority: Major > > See > https://github.com/apache/jackrabbit-oak/blob/9569d659f0655d3ba16c1cfe1fbb5f53959f701f/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java#L189: > The criterion for logout() to succeed is > {code}!subject.getPrincipals().isEmpty() && > !subject.getPublicCredentials(Credentials.class).isEmpty(){code} > This did not work in a case where the subject was created by a thread > handling an authenticated JMX connection (and later passed on to other > threads due to AccessControlContext inheritage). > I'd propose to make logout() succeed unconditionally, but I'm not entirely > sure about side effects. -- This message was sent by Atlassian Jira (v8.3.4#803005)