[
https://issues.apache.org/jira/browse/OAK-8803?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Julian Reschke closed OAK-8803.
-------------------------------
> AbstractLoginModule and subclasses: successful commit must not clear state
> information required for successful logout
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: OAK-8803
> URL: https://issues.apache.org/jira/browse/OAK-8803
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external, core, security, security-spi
> Reporter: Angela Schreiber
> Assignee: Angela Schreiber
> Priority: Minor
> Fix For: 1.22.0
>
>
> while working OAK-8710 in noticed that the main reason for the initial patch
> not work was the fact that subclasses of {{{AbstractLoginModule}} call
> {{clearState}} upon successful {{commit}}. this essentially clears all state
> information that is needed for a successful logout later on.... on the other
> hand it is crucial that subclasses of {{AbstractLoginModule}} close the
> system-session that was used for looking up principals during the commit
> phase.
> proposed fix: add protected {{closeSystemSession}} method that can be used
> instead of {{clearState}} upon successful {{commit}}, leaving the
> {{clearState}} only for those cases where {{commit}} fails or {{abort}} is
> called, which require the complete state the be wiped out.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
