[jboss-jira] [JBoss JIRA] (WFLY-2016) Security context associated with EJB asynchronous invocations can potentially be corrupted over time by the caller thread

RH Bugzilla Integration (JIRA) jira-events at lists.jboss.org
Tue Nov 19 12:02:06 EST 2013 

     [ https://issues.jboss.org/browse/WFLY-2016?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

RH Bugzilla Integration updated WFLY-2016:
------------------------------------------

        Bugzilla Update: Perform
    Bugzilla References: https://bugzilla.redhat.com/show_bug.cgi?id=1032188

    
> Security context associated with EJB asynchronous invocations can potentially be corrupted over time by the caller thread
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-2016
>                 URL: https://issues.jboss.org/browse/WFLY-2016
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: EJB, Security
>    Affects Versions: 8.0.0.Alpha4
>            Reporter: jaikiran pai
>            Assignee: Stuart Douglas
>             Fix For: 8.0.0.CR1
>
>
> Consider a servlet "S" which invokes on a asynchronous EJB "A". Let's assume "S" runs with a "foo" run-as role. Now when S invokes on "A", the run-as "foo" role is correctly propagated to the asynchronous EJB invocation. However, when the "S" invocation completes and potentially clears the security context (of any run-as role), the invocation(s) within the asynchronous EJB "A" too lose the corresponding security context role association. This is because the 2 threads (the servlet invocation one and the async EJB invocation one) literally share the same object instance of the SecurityContext.
> The expected behaviour is that the original security context (attributes) are copied over to the async invocation and updates to that security context later on in a separate thread shouldn't affect the ongoing async EJB invocation.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list