This is an automated email from the ASF dual-hosted git repository.
rmaucher pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new a88f7fee00 Remove the roles on logout from the subject
a88f7fee00 is described below
commit a88f7fee00ef834e22b0fd78f5192fd3bb68605a
Author: remm <[email protected]>
AuthorDate: Fri May 22 15:57:08 2026 +0200
Remove the roles on logout from the subject
The main principal was removed, so it is best to be consistent.
---
.../apache/catalina/realm/JAASMemoryLoginModule.java | 19 +++++++++++++++++--
test/org/apache/catalina/realm/TestJAASRealm.java | 1 +
webapps/docs/changelog.xml | 4 ++++
3 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/realm/JAASMemoryLoginModule.java
b/java/org/apache/catalina/realm/JAASMemoryLoginModule.java
index f4d7e12d92..6cde8608e0 100644
--- a/java/org/apache/catalina/realm/JAASMemoryLoginModule.java
+++ b/java/org/apache/catalina/realm/JAASMemoryLoginModule.java
@@ -19,6 +19,7 @@ package org.apache.catalina.realm;
import java.io.File;
import java.io.IOException;
import java.security.Principal;
+import java.util.HashSet;
import java.util.Map;
import java.util.Map.Entry;
@@ -104,6 +105,12 @@ public class JAASMemoryLoginModule extends MemoryRealm
implements LoginModule {
protected Principal principal = null;
+ /**
+ * The <code>Principal</code> for the roles.
+ */
+ protected HashSet<Principal> roles = null;
+
+
/**
* The state information that is shared with other configured
<code>LoginModule</code> instances.
*/
@@ -166,11 +173,13 @@ public class JAASMemoryLoginModule extends MemoryRealm
implements LoginModule {
// Add the roles as additional subjects as per the contract with
the
// JAASRealm
if (principal instanceof GenericPrincipal) {
+ this.roles = new HashSet<>();
String[] roles = ((GenericPrincipal) principal).getRoles();
for (String role : roles) {
- subject.getPrincipals().add(new GenericPrincipal(role,
null, null));
+ GenericPrincipal roleGp = new GenericPrincipal(role, null,
null);
+ subject.getPrincipals().add(roleGp);
+ this.roles.add(roleGp);
}
-
}
}
@@ -307,8 +316,14 @@ public class JAASMemoryLoginModule extends MemoryRealm
implements LoginModule {
@Override
public boolean logout() throws LoginException {
subject.getPrincipals().remove(principal);
+ if (principal instanceof GenericPrincipal) {
+ for (Principal role : roles) {
+ subject.getPrincipals().remove(role);
+ }
+ }
committed = false;
principal = null;
+ roles = null;
return true;
}
diff --git a/test/org/apache/catalina/realm/TestJAASRealm.java
b/test/org/apache/catalina/realm/TestJAASRealm.java
index b309baffd9..49ab665ff9 100644
--- a/test/org/apache/catalina/realm/TestJAASRealm.java
+++ b/test/org/apache/catalina/realm/TestJAASRealm.java
@@ -112,6 +112,7 @@ public class TestJAASRealm extends TomcatBaseTest {
Assert.assertTrue(p instanceof GenericPrincipal);
GenericPrincipal gp = (GenericPrincipal) p;
Assert.assertTrue(gp.hasRole("testrole"));
+ gp.logout();
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 91acacb59a..612dfcffc8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -160,6 +160,10 @@
Add support for single-quote escaped literal as well as quoted literals
in <code>DateFormatCache</code>. (schultz)
</fix>
+ <fix>
+ On JAAS logout, clear out role principals on the subject that were
+ added on commit, as recommended by the JAAS specification. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
