[ https://issues.apache.org/jira/browse/OAK-8710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16958906#comment-16958906 ]
Manfred Baedke edited comment on OAK-8710 at 10/24/19 3:20 PM: --------------------------------------------------------------- Hi [~angela], I'll try to come up with a test case. Not sure yet how that will go. Please note https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#logout, which states a different logout contract. But you're right, the JavaDoc should matter, so succeeding unconditionally is not an option. Anyway, we don't implement that contract, too. Currently, the criterion for success is the presence of any principal and the presence of public credentials, which has nothing to do with the question if the Module should be ignored (actually, in the case mentioned in the description, it certainly should not, because it did the login). Will we need to keep track of principals? Edit: trivial test method to be added to AbstractLoginModuleTest: {code} @Test public void testLogoutAlienPrincipal() { Subject subject = new Subject(false, ImmutableSet.<Principal>of(new PrincipalImpl("foo")), ImmutableSet.of(), ImmutableSet.of()); AbstractLoginModule loginModule = initLoginModule(subject, null, null); assertTrue(loginModule.logout()); } {code} will fail, which clearly breaks the contract. was (Author: baedke): Hi [~angela], I'll try to come up with a test case. Not sure yet how that will go. Please note https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#logout, which states a different logout contract. But you're right, the JavaDoc should matter, so succeeding unconditionally is not an option. Anyway, we don't implement that contract, too. Currently, the criterion for success is the presence of any principal and the presence of public credentials, which has nothing to do with the question if the Module should be ignored (actually, in the case mentioned in the description, it certainly should not, because it did the login). Will we need to keep track of principals? > AbstractLoginModule#logout() may fail in the presence of unknown principals > --------------------------------------------------------------------------- > > Key: OAK-8710 > URL: https://issues.apache.org/jira/browse/OAK-8710 > Project: Jackrabbit Oak > Issue Type: Bug > Components: security-spi > Reporter: Manfred Baedke > Priority: Major > > See > https://github.com/apache/jackrabbit-oak/blob/9569d659f0655d3ba16c1cfe1fbb5f53959f701f/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java#L189: > The criterion for logout() to succeed is > {code}!subject.getPrincipals().isEmpty() && > !subject.getPublicCredentials(Credentials.class).isEmpty(){code} > This did not work in a case where the subject was created by a thread > handling an authenticated JMX connection (and later passed on to other > threads due to AccessControlContext inheritage). > I'd propose to make logout() succeed unconditionally, but I'm not entirely > sure about side effects. -- This message was sent by Atlassian Jira (v8.3.4#803005)