Lars Krapf created SLING-5675: --------------------------------- Summary: Logout only called if AuthenticationHandler is registered to "/" Key: SLING-5675 URL: https://issues.apache.org/jira/browse/SLING-5675 Project: Sling Issue Type: Bug Components: Authentication Affects Versions: Auth Core 1.3.14 Reporter: Lars Krapf
In {{SlingAuthenticator.logout()}} only the AuthenticationHandlers which are registered on paths which are roots of {{SlingAuthenticator.getHandlerSelectionPath()}} are selected. This path should either be taken from the servlet path, or will be read from the {{Authenticator.LOGIN_RESOURCE}} request attribute _if it is present_. Now, in {{LogoutServlet.service()}} the LOGIN_RESOURCE is _always_ set to it's default value ("/") by calling {{AuthUtil.setLoginResourceAttribute()}}. As a result, {{dropCredentials()}} will only be called on authentication handlers which are registered to "/". My expectation is that the selection of logout handlers should be independent of their registration paths, in order to allow a POST to {{/system/sling/logout}} have *all* registered handlers drop credentials. -- This message was sent by Atlassian JIRA (v6.3.4#6332)