[jboss-user] [Security] - Re: ClientLoginModule in a multi-threaded swing client

[marek.gregor]

I found the same bug in JBoss 5.1.0GA (bundled with jbosssx-client.jar, version 2.0.3.SP1): 

Security context is lost in client (multi-threaded swing) application started via java web start, when I perform ejb3 call on different thread, from which I have performed login() on start of the application (login() was perfomed on thread created by java webstart for calling main() method, this thread has been destroyed after finish of main method). Although I have configured:

org.jboss.security.ClientLoginModule required
multi-threaded=false; 

Security context is still stored in thread-related storage, what is wrong. After 2 days of remote debugging internals jboss client security library I found problem in static variable SERVER of class org.jboss.security.SecurityContextAssociation, which has declaration:
private static boolean SERVER = true; This value is not changed during the run of client application therefore security context is stored in thread local place. Simple workaround which works is to call method SecurityContextAssociation.setClient() before login() method. 

This bug occured in JBoss 5.1.0GA (jbosssx 2.0.3.SP1) there are already bugfixes which could possibly fix it in newer version of security library, e.g.: https://jira.jboss.org/jira/browse/SECURITY-415, I do not know, it is up on the JBoss people to resolve if it is still valid issue to solve.




 

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4268774#4268774

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4268774