Bug 62547 - JASPIC cleanSubject not called on logout for cached authentications
Summary: JASPIC cleanSubject not called on logout for cached authentications
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.20
Hardware: PC All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2018-07-17 08:15 UTC by Guillermo González de Agüero
Modified: 2018-08-06 13:41 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Guillermo González de Agüero 2018-07-17 08:15:29 UTC
When authentication takes place via JASPIC and there was no cached user principal, the clientSubject is stored in the request: https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java#L813

On logout, the stored clientSubject is retrieved in order to pass it as an argument to ServerAuthContext#cleanSubject():

The problem is, when authentication was performed on a previous request (it was cached), the subject is not stored, and so cleanSubject is not called, since the subject must not be null.

The solution might be just to always store the subject, despite the authentication being cached. I can provide a PR myself if someone confirms that's a valid solution.

I have only tested this on 8.5.20 (TomEE 7.0.4) but the affected code is the same on other versions.
Comment 1 Guillermo González de Agüero 2018-07-17 11:30:07 UTC
Since it was (IMHO) a one-line change, I provided a PR: https://github.com/apache/tomcat/pull/116
Comment 2 Mark Thomas 2018-08-06 13:41:08 UTC

That was pretty much the change I was thinking of after reviewing the code and your bug description.

Fixed in:
- trunk for 9.0.11 onwards
- 8.5.x for 8.5.33 onwards