[
https://issues.apache.org/jira/browse/OAK-8710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16984509#comment-16984509
]
Angela Schreiber commented on OAK-8710:
---------------------------------------
[~baedke], i committed an new patch to fix this at revision 1870559.
characteristics as follows:
h3. {{AbstractLoginModule.logout()}}
- i didn't feel comfortable to heavily modify the existing {{logout}} function
as i know for sure there are subclasses outside the scope of oak
- what i did change in the logout: collection of credentials to be removed is
limited to {{Credentials}} and {{AuthInfo}} (instead of removing all
- in case of read-only subject an attempt is made to destroy that very
collection of credentials (missing up to now)
h3. {{AbstractLoginModule.logout(Set,Set)}}
- i added a 'utility' method to logout that takes the set of credential objects
and principals computed upon login/commit
- if either set is non-null the logout will succeed. if both are null it will
return false
- again an attempt is made to destroy credentials in case of read-only subject
h3. {{LoginModuleImpl}} / {{TokenLoginModule}} / {{ExternalLoginModule}} and
other subclasses of {{AbstractLoginModule}}
- i fixed all subclasses of {{AbstractLoginModule}} in oak to use the new
logout-utility, i.e. overwriting the default logout method
h3. GuestLoginModule
- i fixed {{GuestLoginModule.logout}}, which also wasn't compliant.
h3. Tests
- i expanded the existing tests to also incorporate {{logout}}
- i incorporated {{testLoginLogoutPreexistingSubject}} from the tests you added
with OAK-8763. this test passes with the fixes to logout
- i didn't incorporate the second test, because this one is IMO not valid as it
illustrates classic pre-auth login, which should not fail.
i would kindly ask you to verify, if the issue you experienced with AEM still
persists.
> AbstractLoginModule#logout() must not remove 'foreign' principals/credentials
> ------------------------------------------------------------------------------
>
> Key: OAK-8710
> URL: https://issues.apache.org/jira/browse/OAK-8710
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external, core, security-spi
> Reporter: Manfred Baedke
> Assignee: Angela Schreiber
> Priority: Major
> Attachments: OAK-8710.patch, logout.png
>
>
> See
> https://github.com/apache/jackrabbit-oak/blob/9569d659f0655d3ba16c1cfe1fbb5f53959f701f/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java#L189:
> The criterion for logout() to succeed is
> {code}!subject.getPrincipals().isEmpty() &&
> !subject.getPublicCredentials(Credentials.class).isEmpty(){code}
> This did not work in a case where the subject was created by a thread
> handling an authenticated JMX connection (and later passed on to other
> threads due to AccessControlContext inheritage).
> I'd propose to make logout() succeed unconditionally, but I'm not entirely
> sure about side effects.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
