Topics

Need comment on Issue #174 ASAP


Will Hopkins
 

Arjan,

Can you have a look at #174, and let me know what you think ASAP?

To summarize, I think the RememberMeInterceptor must call invocationContext.proceed(), to delegate to the other interceptors/underlying HAM, when intercepting cleanSubject().

The spec says only that it must call rememberMeIdentityStore.removeLoginToken(), which is indeed necessary, but not sufficient -- the Subject is never cleaned.

I'm preparing a commit to implement this in Soteria, but would appreciate your review, as this is a significant behavior change in an area the spec is silent on.

Thanks,

Will
-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Developer Experience
35 Network Drive, Burlington, MA 01803


Will Hopkins
 

Comments from other EG members/Contributors also welcome ... ;)

On 08/17/2017 08:14 AM, Will Hopkins wrote:
Arjan,

Can you have a look at #174, and let me know what you think ASAP?

To summarize, I think the RememberMeInterceptor must call invocationContext.proceed(), to delegate to the other interceptors/underlying HAM, when intercepting cleanSubject().

The spec says only that it must call rememberMeIdentityStore.removeLoginToken(), which is indeed necessary, but not sufficient -- the Subject is never cleaned.

I'm preparing a commit to implement this in Soteria, but would appreciate your review, as this is a significant behavior change in an area the spec is silent on.

Thanks,

Will
-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Developer Experience
35 Network Drive, Burlington, MA 01803

-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Developer Experience
35 Network Drive, Burlington, MA 01803


Arjan Tijms
 

Hi,

Just saw this coming in so sorry for the somewhat late reply.

I'm indeed pretty sure it needs to call `invocationContext.proceed()` like you mention. The moment it calls this probably doesn't even matter that much. It can either do it before it cleans up its own cookie or afterwards.

I do wonder about the SecurityManager involvement in the failure here, but it's hard to comment on that since I don't know the "cleanSubject" test exactly does or doesn't.

Kind regards,
Arjan Tijms


Will Hopkins
 

Thanks, Arjan.

FYI, PR #177 adds the call to proceed(), if you want to have a look. The SecurityManager aspect is puzzling, but I suspect it's actually unrelated, or is related only because an access control problem of some kind masked or unmasked the underlying problem.

Will

On 08/17/2017 10:36 AM, Arjan Tijms wrote:
Hi,

Just saw this coming in so sorry for the somewhat late reply.

I'm indeed pretty sure it needs to call `invocationContext.proceed()` like you mention. The moment it calls this probably doesn't even matter that much. It can either do it before it cleans up its own cookie or afterwards.

I do wonder about the SecurityManager involvement in the failure here, but it's hard to comment on that since I don't know the "cleanSubject" test exactly does or doesn't.

Kind regards,
Arjan Tijms

-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Developer Experience
35 Network Drive, Burlington, MA 01803