[
https://issues.apache.org/jira/browse/OAK-8763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16978534#comment-16978534
]
Manfred Baedke edited comment on OAK-8763 at 11/20/19 3:50 PM:
---------------------------------------------------------------
[~angela],
bq. if the logout is the problem, we should fix the logout not start modifying
other pieces of the code base
The logout fails because the login messes up the subject. Take a look
https://github.com/apache/jackrabbit-oak/blob/80ad2ca1ec09b400d16b38476e107657e063117b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java#L77.
The subject returned by #getSubject() was in the given case exactly the subject
from the screenshot. It's readonly, so it will be used to create the
JaasLoginContext. Later logout() doesn't know to handle it.
bq. if logout is the cuprit
No, it's not.
If we can fix that without touching the login process, fine, but I don't see
that. I'd really like to hear your thoughts.
was (Author: baedke):
[~angela],
bq. if the logout is the problem, we should fix the logout not start modifying
other pieces of the code base
The logout fails because the login messes up the subject. Take a look
https://github.com/apache/jackrabbit-oak/blob/80ad2ca1ec09b400d16b38476e107657e063117b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java#L77.
The subject returned by #getSubject() was in the given case exactly the subject
from the screenshot. It's readonly, so it will be used to create the
JaasLoginContext. Later logout() doesn't know to handle it.
If we can fix that without touching the login process, fine, but I don't see
that. I'd really like to hear your thoughts.
> LoginContextProviderImpl uses any subject found in the AccessControlContext.
> ----------------------------------------------------------------------------
>
> Key: OAK-8763
> URL: https://issues.apache.org/jira/browse/OAK-8763
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: security-spi
> Reporter: Manfred Baedke
> Assignee: Angela Schreiber
> Priority: Major
> Attachments: OAK-8763.patch
>
>
> LoginContextProviderImpl#getLoginContext(...) extracts the most recent
> subject from the AccessControlContext and then uses it for either a
> PreAuthContext or a JaasLoginContext. This is wrong, because there is no
> reason to assume that such a subject has anything to do with Oak. It
> particularly hurts when it's readonly, because JAAS will then silently fail
> to add principals and credentials.
> We would need a way to identify pre-authenticated subjects and subjects that
> are not pre-authenticated should not be used to create a JaasLoginContext.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
