Lars Krapf created SLING-5675:
---------------------------------
Summary: Logout only called if AuthenticationHandler is registered
to "/"
Key: SLING-5675
URL: https://issues.apache.org/jira/browse/SLING-5675
Project: Sling
Issue Type: Bug
Components: Authentication
Affects Versions: Auth Core 1.3.14
Reporter: Lars Krapf
In {{SlingAuthenticator.logout()}} only the AuthenticationHandlers which are
registered on paths which are roots of
{{SlingAuthenticator.getHandlerSelectionPath()}} are selected.
This path should either be taken from the servlet path, or will be read from
the {{Authenticator.LOGIN_RESOURCE}} request attribute _if it is present_.
Now, in {{LogoutServlet.service()}} the LOGIN_RESOURCE is _always_ set to it's
default value ("/") by calling {{AuthUtil.setLoginResourceAttribute()}}.
As a result, {{dropCredentials()}} will only be called on authentication
handlers which are registered to "/".
My expectation is that the selection of logout handlers should be independent
of their registration paths, in order to allow a POST to
{{/system/sling/logout}} have *all* registered handlers drop credentials.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
