harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Ellison <t.p.elli...@gmail.com>
Subject Re: [classlib][auth]LoginContext should always invoke the LoginModules?
Date Mon, 02 Oct 2006 16:19:30 GMT
Alex Astapchuk wrote:
> Hi Stepan, all,
> 
>> I think the spec. statement: "A LoginContext should not be used to
>> authenticate more than one Subject." was taken too strict: reusing
>> LoginContext object to get the same set of credentials seemed odd.
> 
> The decision was mostly about resources.
> 
> Indeed, the spec does not specify behavior of LoginContext.
> 
> However, the spec is more or less clear in what should the
> Login*Module*-s do in response to login/logout/etc.
> It states 'login() saves result ...'. It does not warn with
> anything like 'check previous state and clean up resources
> from previous successful logins'.
> The resource clean up is explicitly for abort() and logout().

The spec might not say so explicitly, but cleaning up the resources
before attempting another login would seem like a reasonable thing to do.

>>> I consider RI's behavior is more reasonable.
> 
> I would say it's more dangerous.
> The invocation of login() on already logged LoginModule-s
> may easily produce a resource leak.
> Presuming the authentication is normally not a too frequent
> task, such a leak would be really hard to discover and hunt.

I don't see why we would have to suffer the leak -- if the state changes
are made via API then we have the opportunity to fix things first.

Regards,
Tim

-- 

Tim Ellison (t.p.ellison@gmail.com)
IBM Java technology centre, UK.

---------------------------------------------------------------------
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: harmony-dev-unsubscribe@incubator.apache.org
For additional commands, e-mail: harmony-dev-help@incubator.apache.org


Mime
View raw message