[
https://issues.apache.org/jira/browse/OAK-8763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16987938#comment-16987938
]
Angela Schreiber commented on OAK-8763:
---------------------------------------
[~baedke], this issue as you reported it is only about the failing logout. so
please let me know if that part is fixed in the environment your have been
testing. if not please provide a test case that illustrates the issue... it
could e.g. be due to login modules that are not provided by oak and potentially
needed their logout fixed (which then was likely outside of the scope of oak).
as far as the question regarding authorization is concerned: that's a different
issue unrelated to the logout we discuss here and i would love not to make this
issue about different topics. short answer: if an application passes a
read-only subject, the session will get the permissions defined for the
specified principals.
> LoginContextProviderImpl uses any subject found in the AccessControlContext.
> ----------------------------------------------------------------------------
>
> Key: OAK-8763
> URL: https://issues.apache.org/jira/browse/OAK-8763
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: security-spi
> Reporter: Manfred Baedke
> Assignee: Angela Schreiber
> Priority: Minor
> Attachments: OAK-8763-tests.patch, OAK-8763.patch
>
>
> LoginContextProviderImpl#getLoginContext(...) extracts the most recent
> subject from the AccessControlContext and then uses it for either a
> PreAuthContext or a JaasLoginContext. This is wrong, because there is no
> reason to assume that such a subject has anything to do with Oak. It
> particularly hurts when it's readonly, because JAAS will then silently fail
> to add principals and credentials.
> We would need a way to identify pre-authenticated subjects and subjects that
> are not pre-authenticated should not be used to create a JaasLoginContext.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
