[
https://issues.apache.org/jira/browse/OAK-8710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16967605#comment-16967605
]
Angela Schreiber commented on OAK-8710:
---------------------------------------
[~baedke], the complete quote from
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#logout
says:
{quote}
the logout method is called to log out a Subject.
This method removes Principals, and removes/destroys credentials associated
with the Subject during the commit operation. This method should not touch
those Principals or credentials previously existing in the Subject, or those
added by other LoginModules.
If the Subject has been marked read-only (the Subject's isReadOnly method
returns true), then this method should only destroy credentials associated with
the Subject during the commit operation (removing the credentials is not
possible). If the Subject has been marked as read-only and the credentials
associated with the Subject during the commit operation are not destroyable
(they do not implement the Destroyable interface), then this method may throw a
LoginException.
The logout method should return true if logout succeeds, or otherwise throw a
LoginException.
{quote}
my understanding of that is:
- if the login failed, commit must not update the subject and thus the logout
step must not succeed
- if the login succeeds and commit updats the subject, logout should remove
just those credentials/principals from the subject that have been added upon
commit and return true if that succeeds.
- in case the login/commit steps are missing the logout cannot succeed
- also we need to have a test that verifies that only those
principals/credentials of that particular loginmodule are removed and foreign
principals/credentials are left untouched.
> AbstractLoginModule#logout() may fail in the presence of unknown principals
> ---------------------------------------------------------------------------
>
> Key: OAK-8710
> URL: https://issues.apache.org/jira/browse/OAK-8710
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: security-spi
> Reporter: Manfred Baedke
> Priority: Major
>
> See
> https://github.com/apache/jackrabbit-oak/blob/9569d659f0655d3ba16c1cfe1fbb5f53959f701f/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java#L189:
> The criterion for logout() to succeed is
> {code}!subject.getPrincipals().isEmpty() &&
> !subject.getPublicCredentials(Credentials.class).isEmpty(){code}
> This did not work in a case where the subject was created by a thread
> handling an authenticated JMX connection (and later passed on to other
> threads due to AccessControlContext inheritage).
> I'd propose to make logout() succeed unconditionally, but I'm not entirely
> sure about side effects.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
