Menu
▾
▴
[JBoss-user] [Security & JAAS/JBoss] - Potential bug in ClientLoginModule logout
|
From: jwynett <do-...@jb...> - 2006-02-27 20:32:49
|
If you look in the ClientLoginModule.logout method, if restoreloginidentity is true, it pops the subject context from the stack. After that, it removes the last principal from the subject.getPrincipals() set.
A problem can occur when the same principal logs in more than once in a row and then one logs out. Since it is a Set, each principal can appear only once no matter how many times they log in. Here is the sequence:
1. login user "a"; principals set contains one principal ("a").
2. login user "a" again; principals set contains one principal ("a").
3. logout user "a"; the first user "a" is restored but principals set is empty.
Same problem occurs if we login user "a", then "b" and then "a" again.
I have not personally seen an error come up in my system due to this however it seems to me like there are two possibilities here: either is makes no difference what is in the principal set or some code depending on this will have a problem when it turns out that user "a" is currently logged in but the principals set is empty.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3926632#3926632
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3926632
|