DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=39231>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39231 Summary: The JAAS contract for LoginModule is broken Product: Tomcat 5 Version: 5.5.16 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] The issue is that the custom JAAS's LoginModule.logout() method is never called. I guess this has been never implemented correctly (at least since Tomcat 5.5.9). The thing is that according to the JAAS spec, the LoginContext.logout() is supposed to invoke the logout method for each LoginModule configured for this LoginContext. So, somebody should be sure to call LoginContext.logout() method. The caller for this method could be either a server or a client. So, either Tomcat should provide some means to access the LoginContext to the clients, or Tomcat should take the responsibility to call this method by itself. I guess the solution could be for Tomcat to associate the instance of LoginContext with the user's session, and then Tomcat could invoke LoginContext.logout() when the session is being invalidated (both when the session times out or invalidated explicitely). I hope that I am correctly interpreting the JAAS spec. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
