Date
1 - 4 of 4
Need comment on Issue #174 ASAP
|
Will Hopkins
Arjan,
Can you have a look at #174, and let me know what you think ASAP? To summarize, I think the RememberMeInterceptor must call invocationContext.proceed(), to delegate to the other interceptors/underlying HAM, when intercepting cleanSubject(). The spec says only that it must call rememberMeIdentityStore.removeLoginToken(), which is indeed necessary, but not sufficient -- the Subject is never cleaned. I'm preparing a commit to implement this in Soteria, but would appreciate your review, as this is a significant behavior change in an area the spec is silent on. Thanks, Will -- Will Hopkins | WebLogic Security Architect | +1.781.442.0310 Oracle Developer Experience 35 Network Drive, Burlington, MA 01803
|
|
|
|
Will Hopkins
Comments from other EG members/Contributors also welcome ... ;)
On 08/17/2017 08:14 AM, Will Hopkins
wrote:
Arjan, -- Will Hopkins | WebLogic Security Architect | +1.781.442.0310 Oracle Developer Experience 35 Network Drive, Burlington, MA 01803
|
|
|
|
Hi,
Just saw this coming in so sorry for the somewhat late reply. I'm indeed pretty sure it needs to call `invocationContext.proceed()` like you mention. The moment it calls this probably doesn't even matter that much. It can either do it before it cleans up its own cookie or afterwards. I do wonder about the SecurityManager involvement in the failure here, but it's hard to comment on that since I don't know the "cleanSubject" test exactly does or doesn't. Kind regards, Arjan Tijms
|
|
|
|
Will Hopkins
Thanks, Arjan.
FYI, PR #177 adds the call to proceed(), if you want to have a look. The SecurityManager aspect is puzzling, but I suspect it's actually unrelated, or is related only because an access control problem of some kind masked or unmasked the underlying problem. Will On 08/17/2017 10:36 AM, Arjan Tijms
wrote:
Hi, -- Will Hopkins | WebLogic Security Architect | +1.781.442.0310 Oracle Developer Experience 35 Network Drive, Burlington, MA 01803
|
|
|