(tomcat) branch 9.0.x updated: Use logout

Fri, 26 Jun 2026 08:08:21 -0700 

This is an automated email from the ASF dual-hosted git repository.

rmaucher pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 140e11ecc2 Use logout
140e11ecc2 is described below

commit 140e11ecc256ae86fe531518ef1c83b67fa423cf
Author: remm <[email protected]>
AuthorDate: Fri Jun 26 17:06:12 2026 +0200

    Use logout
    
    Logout when login does not fail but authenticate would return a null
    principal.
---
 java/org/apache/catalina/realm/JAASRealm.java | 5 ++---
 webapps/docs/changelog.xml                    | 4 ++++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/realm/JAASRealm.java 
b/java/org/apache/catalina/realm/JAASRealm.java
index fb913082f4..2b7684166b 100644
--- a/java/org/apache/catalina/realm/JAASRealm.java
+++ b/java/org/apache/catalina/realm/JAASRealm.java
@@ -361,9 +361,6 @@ public class JAASRealm extends RealmBase {
 
         // Establish a LoginContext to use for authentication
         try {
-            if (appName == null) {
-                appName = "Tomcat";
-            }
 
             if (log.isTraceEnabled()) {
                 log.trace(sm.getString("jaasRealm.beginLogin", username, 
appName));
@@ -414,6 +411,7 @@ public class JAASRealm extends RealmBase {
                     if (log.isDebugEnabled()) {
                         log.debug(sm.getString("jaasRealm.failedLogin", 
username));
                     }
+                    loginContext.logout();
                     return null;
                 }
             } catch (AccountExpiredException e) {
@@ -465,6 +463,7 @@ public class JAASRealm extends RealmBase {
                 if (log.isDebugEnabled()) {
                     log.debug(sm.getString("jaasRealm.authenticateFailure", 
username));
                 }
+                loginContext.logout();
                 return null;
             }
             if (log.isTraceEnabled()) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index a4a86f52c3..ecd9395f7c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -137,6 +137,10 @@
         Use <code>Files</code> API to create temporary docBase when
         <code>antiLockingDocBase</code> is enabled. (markt)
       </fix>
+      <fix>
+        <code>JAASRealm</code> should do a logout if login does not fail 
outright but
+        does not produce a Principal. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to