[ https://issues.apache.org/jira/browse/OAK-8710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16969307#comment-16969307 ]
Manfred Baedke edited comment on OAK-8710 at 11/7/19 2:39 PM: -------------------------------------------------------------- [~angela], Yes, of course that's a new issue (which might make this one obsolet). I'm sorry about the confusion, but here the root cause was just a little hard to track down. I'll make a few tests and will open a new issue, if successful. was (Author: baedke): [~angela], Yes, of course that's a new issue. > AbstractLoginModule#logout() may fail in the presence of unknown principals > --------------------------------------------------------------------------- > > Key: OAK-8710 > URL: https://issues.apache.org/jira/browse/OAK-8710 > Project: Jackrabbit Oak > Issue Type: Bug > Components: security-spi > Reporter: Manfred Baedke > Assignee: Angela Schreiber > Priority: Major > Attachments: logout.png > > > See > https://github.com/apache/jackrabbit-oak/blob/9569d659f0655d3ba16c1cfe1fbb5f53959f701f/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java#L189: > The criterion for logout() to succeed is > {code}!subject.getPrincipals().isEmpty() && > !subject.getPublicCredentials(Credentials.class).isEmpty(){code} > This did not work in a case where the subject was created by a thread > handling an authenticated JMX connection (and later passed on to other > threads due to AccessControlContext inheritage). > I'd propose to make logout() succeed unconditionally, but I'm not entirely > sure about side effects. -- This message was sent by Atlassian Jira (v8.3.4#803005)