tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 39231] New: - The JAAS contract for LoginModule is broken
Date Thu, 06 Apr 2006 20:20:00 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39231>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39231

           Summary: The JAAS contract for LoginModule is broken
           Product: Tomcat 5
           Version: 5.5.16
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: seva_popov@tvworks.com


The issue is that the custom JAAS's LoginModule.logout() method is never 
called. I guess this has been never implemented correctly (at least since 
Tomcat 5.5.9).

The thing is that according to the JAAS spec, the LoginContext.logout() is 
supposed to invoke the logout method for each LoginModule configured for this 
LoginContext.

So, somebody should be sure to call LoginContext.logout() method. The caller 
for this method could be either a server or a client. 

So, either Tomcat should provide some means to access the LoginContext to the 
clients, or Tomcat should take the responsibility to call this method by itself.

I guess the solution could be for Tomcat to associate the instance of 
LoginContext with the user's session, and then Tomcat could invoke 
LoginContext.logout() when the session is being invalidated (both when the 
session times out or invalidated explicitely).

I hope that I am correctly interpreting the JAAS spec.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message