1 Reply Latest reply on Feb 27, 2006 3:44 PM by starksm64

Potential bug in ClientLoginModule logout

jwynett Feb 27, 2006 3:32 PM

If you look in the ClientLoginModule.logout method, if restoreloginidentity is true, it pops the subject context from the stack. After that, it removes the last principal from the subject.getPrincipals() set.

A problem can occur when the same principal logs in more than once in a row and then one logs out. Since it is a Set, each principal can appear only once no matter how many times they log in. Here is the sequence:

1. login user "a"; principals set contains one principal ("a").
2. login user "a" again; principals set contains one principal ("a").
3. logout user "a"; the first user "a" is restored but principals set is empty.

Same problem occurs if we login user "a", then "b" and then "a" again.

I have not personally seen an error come up in my system due to this however it seems to me like there are two possibilities here: either is makes no difference what is in the principal set or some code depending on this will have a problem when it turns out that user "a" is currently logged in but the principals set is empty.

1. Re: Potential bug in ClientLoginModule logout

starksm64 Feb 27, 2006 3:44 PM (in response to jwynett)

I already created a discussion topic for this as listed on the JBAS-2820 issue:
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=78240
Actions