https://bz.apache.org/bugzilla/show_bug.cgi?id=62547
Bug ID: 62547
Summary: JASPIC cleanSubject not called on logout for cached
authentications
Product: Tomcat 8
Version: 8.5.20
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: z06.guille...@gmail.com
Target Milestone: ----
When authentication takes place via JASPIC and there was no cached user
principal, the clientSubject is stored in the request:
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java#L813
On logout, the stored clientSubject is retrieved in order to pass it as an
argument to ServerAuthContext#cleanSubject():
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java#L1138
The problem is, when authentication was performed on a previous request (it was
cached), the subject is not stored, and so cleanSubject is not called, since
the subject must not be null.
The solution might be just to always store the subject, despite the
authentication being cached. I can provide a PR myself if someone confirms
that's a valid solution.
I have only tested this on 8.5.20 (TomEE 7.0.4) but the affected code is the
same on other versions.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
