Juraci Paixão Kröhling created GTNWSRP-377:
----------------------------------------------
Summary: Concurrency problem might cause credentials swap
Key: GTNWSRP-377
URL:
https://issues.jboss.org/browse/GTNWSRP-377
Project: GateIn WSRP
Issue Type: Bug
Security Level: Public (Everyone can see)
Reporter: Juraci Paixão Kröhling
Assignee: Juraci Paixão Kröhling
From BZ 1063918:
--
In some circumstances, the following situations might occur:
- a non-authenticated user can get the contents for a remote portlet as if another user
had requested.
- an authenticated user might be presented as "not logged in" for the remote
portlet
For this to happen, the following must happen:
- the WS-Security checkbox on the WSRP Consumer Configuration should be checked, so that
the user propagation between producer and consumer is activated
- for a specific WSRP endpoint (MarkupService, for example), a high-concurrency scenario
is required and/or a situation where the SOAP message takes long to execute
This is so because there is one instance of GTNSubjectCreatingInterceptor per endpoint,
and the state of the instance is changed at the same time by multiple threads, causing one
thread to assign wsUsernameTokenPrincipal, while another might consume the it when
it's not supposed to.
To illustrate this, I've added some System.out's on the interceptor and added a
random delay after the message has been processed (after super.handleMessage(msg)), so
that my low-concurrency scenario would easily reach a situation where a high-concurrency
environment might experience.
To reproduce:
- replace WSRP's
./ws-security/jboss7/src/main/java/org/gatein/wsrp/wss/cxf/producer/GTNSubjectCreatingInterceptor.java
with the version from this ticket (with the random Thread.sleep + System.out's)
- build WSRP
- build GateIn from this branch:
https://github.com/jpkrohling/gatein-portal/tree/JPK-UserInformationInPor... , which
changes the "simplest hello world" portlet to display the current user's
info
- Deploy the simplest hello world portlet, built from the branch above
- Deploy the RichFaces Showcase portlet (attached to this BZ)
- Boot GateIn, login as root, open the WSRP's Consumer Configuration screen and check
the "Enable WS Security" checkbox
- Click on "Refresh & Save"
- Add both the remote and local versions of the portlets to one category each (local in
the Web, remote on the WSRP)
- Create a new page, adding the remote version of the "simplest hello world"
portlet to it
- Create a new page, adding the remote version of the "RichFaces Showcase"
portlet to it
- Open a new browser, and login as "john"
- On the first browser (root), click on the RichFaces Showcase
- On the second browser, click on the page with the "simplest hello world"
The last two steps might need a few tries to reach the state of the screenshots.
--
--
This message was sent by Atlassian JIRA
(v6.2.3#6260)