tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Regarding JAAS logout patch (for bug 39231)
Date Sun, 16 Aug 2009 06:45:30 GMT
The following patch is currently in voting for 5.5 and 6.0

* Fix (Filip's suggestion)
  JAAS LoginContext expects a call to logout()

I have some comments on it.

1. It changes signature of JAASRealm.createPrincipal(), adding the
third argument,
and that will break classes that override that method.

While evaluating this case I stumbled upon a library that will be
broken by this change:
JOSSO (Java Open Single Sign-On Project).

Here is their instruction for configuring it on Tomcat 6:

Here are the sources:
- see the CatalinaJAASRealm and CatalinaSSOUser classes.

I am not sure that JAASRealm is part of our official API, but if we
can avoid breakage, it is better to do so.

The way that I see to implement our change and to be compatible with
their code is to add a setter to GenericPrincipal that will accept
LoginContext,  instead of passing that argument to the constructor.

2. This logout feature, that this patch implements, - it s actually
more like a cleanup.

All the LoginModule s that I've seen do on logout() is clearing
assigned roles and destroying credentials. That is good, because it
won't have side effects. (If there were any, this feature would have
to be configurable). Though "logout" is a bit too loud name for it.

Documentation on implementing LoginModule#logout() is here:

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message