1 Reply Latest reply on Feb 27, 2006 3:44 PM by Scott Stark

    Potential bug in ClientLoginModule logout

    Luigi Putanesca Newbie

      If you look in the ClientLoginModule.logout method, if restoreloginidentity is true, it pops the subject context from the stack. After that, it removes the last principal from the subject.getPrincipals() set.

      A problem can occur when the same principal logs in more than once in a row and then one logs out. Since it is a Set, each principal can appear only once no matter how many times they log in. Here is the sequence:

      1. login user "a"; principals set contains one principal ("a").
      2. login user "a" again; principals set contains one principal ("a").
      3. logout user "a"; the first user "a" is restored but principals set is empty.

      Same problem occurs if we login user "a", then "b" and then "a" again.

      I have not personally seen an error come up in my system due to this however it seems to me like there are two possibilities here: either is makes no difference what is in the principal set or some code depending on this will have a problem when it turns out that user "a" is currently logged in but the principals set is empty.