Angela Schreiber created OAK-8803:
-------------------------------------
Summary: AbstractLoginModule and subclasses: successful commit
must not clear state information required for successful logout
Key: OAK-8803
URL: https://issues.apache.org/jira/browse/OAK-8803
Project: Jackrabbit Oak
Issue Type: Bug
Components: auth-external, core, security, security-spi
Reporter: Angela Schreiber
Assignee: Angela Schreiber
while working OAK-8710 in noticed that the main reason for the initial patch
not work was the fact that subclasses of {{{AbstractLoginModule}} call
{{clearState}} upon successful {{commit}}. this essentially clears all state
information that is needed for a successful logout later on.... on the other
hand it is crucial that subclasses of {{AbstractLoginModule}} close the
system-session that was used for looking up principals during the commit phase.
proposed fix: add protected {{closeSystemSession}} method that can be used
instead of {{clearState}} upon successful {{commit}}, leaving the
{{clearState}} only for those cases where {{commit}} fails or {{abort}} is
called, which require the complete state the be wiped out.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
