Mailing-List: contact harmony-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: harmony-dev@incubator.apache.org
DomainKey-Status: good
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
        b=DRiMLxAmRK2MQOHVbwT/RXqUJLyPWtPdubAsagkHubZqeqBoXscO2u2jyBJwTQINLmKqzz0hqeZI/geqyNNM6iiyLnS2GwaNDK7diGQWVKYsv2NsTyBBuaOXkxca93CaWv1UdkSu3h8QqcnUfdIGjI8YRC1oSpP67mYxtZnXr0g=
Message-ID: <6e47b64f0610022027v533b3e86s6c66364509fdf779@mail.gmail.com>
Date: Tue, 3 Oct 2006 10:27:51 +0700
From: "Stepan Mishura" <stepan.mishura@gmail.com>
To: harmony-dev@incubator.apache.org
Subject: Re: [classlib][auth]LoginContext should always invoke the
 LoginModules?
In-Reply-To: <45213C12.4030209@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_749_8249367.1159846071376"
References: <451CF124.9010702@gmail.com>
	 <6e47b64f0610011956n4580c968oa1fcf194fd25a9c3@mail.gmail.com>
	 <efqg6k$ir8$1@sea.gmane.org> <45213C12.4030209@gmail.com>

------=_Part_749_8249367.1159846071376
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On 10/2/06, Tim Ellison wrote:
>
> Alex Astapchuk wrote:
> > Hi Stepan, all,
> >
> >> I think the spec. statement: "A LoginContext should not be used to
> >> authenticate more than one Subject." was taken too strict: reusing
> >> LoginContext object to get the same set of credentials seemed odd.
> >
> > The decision was mostly about resources.
> >
> > Indeed, the spec does not specify behavior of LoginContext.
> >
> > However, the spec is more or less clear in what should the
> > Login*Module*-s do in response to login/logout/etc.
> > It states 'login() saves result ...'. It does not warn with
> > anything like 'check previous state and clean up resources
> > from previous successful logins'.
> > The resource clean up is explicitly for abort() and logout().
>
> The spec might not say so explicitly, but cleaning up the resources
> before attempting another login would seem like a reasonable thing to do.


Hi Tim,

And if RI doesn't clean up resources should we do the same to be
"compatible"? :-)

I see two possible solutions here:
1) Revert the change and add javadoc comments that the second login() is
ignored if logout() is not ivoked before.
2) LoginContext calls logout() before the second login().

But both variants will be incompatible with RI (testing shows that it
doesn't invoke logout() before second login()).

Other variants?

Thanks,
Stepan.

>>> I consider RI's behavior is more reasonable.
> >
> > I would say it's more dangerous.
> > The invocation of login() on already logged LoginModule-s
> > may easily produce a resource leak.
> > Presuming the authentication is normally not a too frequent
> > task, such a leak would be really hard to discover and hunt.
>
> I don't see why we would have to suffer the leak -- if the state changes
> are made via API then we have the opportunity to fix things first.
>
> Regards,
> Tim
>
> --
>
> Tim Ellison (t.p.ellison@gmail.com)
> IBM Java technology centre, UK.
>
>
>
------------------------------------------------------
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: harmony-dev-unsubscribe@incubator.apache.org
For additional commands, e-mail: harmony-dev-help@incubator.apache.org

------=_Part_749_8249367.1159846071376--