[jboss-jira] [JBoss JIRA] (WFLY-2016) Security context associated with EJB asynchronous invocations can potentially be corrupted over time by the caller thread
RH Bugzilla Integration (JIRA)
jira-events at lists.jboss.org
Tue Nov 19 12:40:06 EST 2013
[ https://issues.jboss.org/browse/WFLY-2016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12925024#comment-12925024 ]
RH Bugzilla Integration commented on WFLY-2016:
-----------------------------------------------
wfink at redhat.com changed the Status of [bug 1032188|https://bugzilla.redhat.com/show_bug.cgi?id=1032188] from NEW to CLOSED
> Security context associated with EJB asynchronous invocations can potentially be corrupted over time by the caller thread
> -------------------------------------------------------------------------------------------------------------------------
>
> Key: WFLY-2016
> URL: https://issues.jboss.org/browse/WFLY-2016
> Project: WildFly
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: EJB, Security
> Affects Versions: 8.0.0.Alpha4
> Reporter: jaikiran pai
> Assignee: Stuart Douglas
> Fix For: 8.0.0.CR1
>
>
> Consider a servlet "S" which invokes on a asynchronous EJB "A". Let's assume "S" runs with a "foo" run-as role. Now when S invokes on "A", the run-as "foo" role is correctly propagated to the asynchronous EJB invocation. However, when the "S" invocation completes and potentially clears the security context (of any run-as role), the invocation(s) within the asynchronous EJB "A" too lose the corresponding security context role association. This is because the 2 threads (the servlet invocation one and the async EJB invocation one) literally share the same object instance of the SecurityContext.
> The expected behaviour is that the original security context (attributes) are copied over to the async invocation and updates to that security context later on in a separate thread shouldn't affect the ongoing async EJB invocation.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list