April 2014 - jboss-jira - Jboss List Archives

[JBoss JIRA] (JBWEB-297) NIO can improperly lead to request/response objects being used concurrently

by RH Bugzilla Integration (JIRA)

[ https://issues.jboss.org/browse/JBWEB-297?page=com.atlassian.jira.plugin.... ] RH Bugzilla Integration updated JBWEB-297: ------------------------------------------ Bugzilla Update: Perform Bugzilla References: https://bugzilla.redhat.com/show_bug.cgi?id=1090103 > NIO can improperly lead to request/response objects being used concurrently > --------------------------------------------------------------------------- > > Key: JBWEB-297 > URL: https://issues.jboss.org/browse/JBWEB-297 > Project: JBoss Web > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Tomcat > Affects Versions: JBossWeb-7.2.2.GA, JBossWeb-7.3.0.GA, JBossWeb-7.4.0.GA > Reporter: Aaron Ogburn > Assignee: Remy Maucherat > > Using NIO with async servlets can improperly lead to a processor and its request/response objects being used by multiple threads to process different requests at once. The problem arises here in Http11NioProtocol.event(): > {code:title=Http11NioProtocol.java|borderStyle=solid} > public SocketState event(NioChannel channel, SocketStatus status) { > Http11NioProcessor processor = connections.get(channel.getId()); > SocketState state = SocketState.CLOSED; > if (processor != null) { > processor.startProcessing(); > // Call the appropriate event > try { > state = processor.event(status); > } catch (java.net.SocketException e) { > // SocketExceptions are normal > CoyoteLogger.HTTP_NIO_LOGGER.socketException(e); > } catch (java.io.IOException e) { > // IOExceptions are normal > CoyoteLogger.HTTP_NIO_LOGGER.socketException(e); > } > // Future developers: if you discover any other > // rare-but-nonfatal exceptions, catch them here, and log as > // above. > catch (Throwable e) { > // any other exception or error is odd. Here we log it > // with "ERROR" level, so it will show up even on > // less-than-verbose logs. > CoyoteLogger.HTTP_NIO_LOGGER.socketError(e); > } finally { > if (state != SocketState.LONG) { > connections.remove(channel.getId()); > recycledProcessors.offer(processor); > {code} > If two events occur on the same channel and execute this at the same time, it'll lead to this issue if they result in a SocketState other than LONG. When that happens, they both offer the same processor to recycledProcessors in the finally block. Later on, two different requests can then poll the same processor at once from reycledProcessors; a processor should only ever have one entry in recycledProcessors. > It looks like we need to synch the Http11NioProtocol.event() call or the NioEndpoint.ChannelProcessor.run(). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

10 years, 5 months

1
0
0 / 0

[JBoss JIRA] (SECURITY-822) Remove the 'NET' project from JBoss Negotiation

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/SECURITY-822?page=com.atlassian.jira.plug... ] Darran Lofthouse updated SECURITY-822: -------------------------------------- Fix Version/s: Negotiation_2_2_9 (was: Negotiation_2_2_8) > Remove the 'NET' project from JBoss Negotiation > ----------------------------------------------- > > Key: SECURITY-822 > URL: https://issues.jboss.org/browse/SECURITY-822 > Project: PicketBox > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Negotiation > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: Negotiation_2_2_9, Negotiation_2_3_1_Final > > > The net project is not used in AS 7, EAP 6 or WildFly so time to delete it. > In WildFly 9 an alternative SASL based approach will be used for EJB invocations. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

10 years, 5 months

1
0
0 / 0

[JBoss JIRA] (SECURITY-717) Get JBoss Negotiation into Maven Central

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/SECURITY-717?page=com.atlassian.jira.plug... ] Darran Lofthouse updated SECURITY-717: -------------------------------------- Fix Version/s: Negotiation_2_2_9 (was: Negotiation_2_2_8) > Get JBoss Negotiation into Maven Central > ---------------------------------------- > > Key: SECURITY-717 > URL: https://issues.jboss.org/browse/SECURITY-717 > Project: PicketBox > Issue Type: Task > Security Level: Public(Everyone can see) > Components: Negotiation > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: Negotiation_2_2_9 > > > This will allow the JBoss Negotiation Toolkit to be removed from the project and instead moved to the quick starts making it much easier for end users to deploy and test. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

10 years, 5 months

1
0
0 / 0

[JBoss JIRA] (SECURITY-677) Remove JBoss Negotiation Toolkit

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/SECURITY-677?page=com.atlassian.jira.plug... ] Darran Lofthouse updated SECURITY-677: -------------------------------------- Fix Version/s: Negotiation_2_2_9 (was: Negotiation_2_2_8) > Remove JBoss Negotiation Toolkit > -------------------------------- > > Key: SECURITY-677 > URL: https://issues.jboss.org/browse/SECURITY-677 > Project: PicketBox > Issue Type: Task > Security Level: Public(Everyone can see) > Components: Negotiation > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: Negotiation_2_2_9 > > > JBoss Negotiation Toolkit is being moved to the quickstarts, so it does not need to be maintained in two different locations delete it from the Negotiation source tree. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

10 years, 5 months

1
0
0 / 0

[JBoss JIRA] (SECURITY-823) Release JBoss Negotiation 2.2.8

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/SECURITY-823?page=com.atlassian.jira.plug... ] Darran Lofthouse resolved SECURITY-823. --------------------------------------- Resolution: Done > Release JBoss Negotiation 2.2.8 > ------------------------------- > > Key: SECURITY-823 > URL: https://issues.jboss.org/browse/SECURITY-823 > Project: PicketBox > Issue Type: Release > Security Level: Public(Everyone can see) > Components: Negotiation > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: Negotiation_2_2_8 > > -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

10 years, 5 months

1
0
0 / 0

[JBoss JIRA] (SECURITY-823) Release JBoss Negotiation 2.2.8

by Darran Lofthouse (JIRA)

Darran Lofthouse created SECURITY-823: ----------------------------------------- Summary: Release JBoss Negotiation 2.2.8 Key: SECURITY-823 URL: https://issues.jboss.org/browse/SECURITY-823 Project: PicketBox Issue Type: Release Security Level: Public (Everyone can see) Components: Negotiation Reporter: Darran Lofthouse Assignee: Darran Lofthouse Fix For: Negotiation_2_2_8 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

10 years, 5 months

1
0
0 / 0

[JBoss JIRA] (SECURITY-799) Port the fallback to BASIC auth fix from branch security-negotiation-2.1.x

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/SECURITY-799?page=com.atlassian.jira.plug... ] Darran Lofthouse updated SECURITY-799: -------------------------------------- Description: The following two commits need to be pulled to master before 2.3.1 is tagged. https://github.com/wildfly/jboss-negotiation/commit/3a9ca05459edd6e4d3f37... https://github.com/wildfly/jboss-negotiation/commit/6edd2b0d30ff578bc3197... was: The following two commits need to be pulled to master before 2.2.8 is tagged. https://github.com/wildfly/jboss-negotiation/commit/3a9ca05459edd6e4d3f37... https://github.com/wildfly/jboss-negotiation/commit/6edd2b0d30ff578bc3197... > Port the fallback to BASIC auth fix from branch security-negotiation-2.1.x > -------------------------------------------------------------------------- > > Key: SECURITY-799 > URL: https://issues.jboss.org/browse/SECURITY-799 > Project: PicketBox > Issue Type: Task > Security Level: Public(Everyone can see) > Components: Negotiation > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: Negotiation_2_3_1_Final > > Attachments: NegotiationAuthenticator.java > > > The following two commits need to be pulled to master before 2.3.1 is tagged. > https://github.com/wildfly/jboss-negotiation/commit/3a9ca05459edd6e4d3f37... > https://github.com/wildfly/jboss-negotiation/commit/6edd2b0d30ff578bc3197... -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

10 years, 5 months

1
0
0 / 0

[JBoss JIRA] (SECURITY-799) Port the fallback to BASIC auth fix from branch security-negotiation-2.1.x

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/SECURITY-799?page=com.atlassian.jira.plug... ] Darran Lofthouse updated SECURITY-799: -------------------------------------- Fix Version/s: Negotiation_2_3_1_Final (was: Negotiation_2_2_8) > Port the fallback to BASIC auth fix from branch security-negotiation-2.1.x > -------------------------------------------------------------------------- > > Key: SECURITY-799 > URL: https://issues.jboss.org/browse/SECURITY-799 > Project: PicketBox > Issue Type: Task > Security Level: Public(Everyone can see) > Components: Negotiation > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: Negotiation_2_3_1_Final > > Attachments: NegotiationAuthenticator.java > > > The following two commits need to be pulled to master before 2.2.8 is tagged. > https://github.com/wildfly/jboss-negotiation/commit/3a9ca05459edd6e4d3f37... > https://github.com/wildfly/jboss-negotiation/commit/6edd2b0d30ff578bc3197... -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

10 years, 5 months

1
0
0 / 0

[JBoss JIRA] (SECURITY-640) Jboss Negotiation fallback to login page if NTLM token is received or the user is not present in active directory.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/SECURITY-640?page=com.atlassian.jira.plug... ] Darran Lofthouse updated SECURITY-640: -------------------------------------- Fix Version/s: Negotiation_2_2_8 > Jboss Negotiation fallback to login page if NTLM token is received or the user is not present in active directory. > ------------------------------------------------------------------------------------------------------------------ > > Key: SECURITY-640 > URL: https://issues.jboss.org/browse/SECURITY-640 > Project: PicketBox > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Negotiation > Environment: Active Directory Winwos 2003, Client Machine windows XP, Jboss Server Machine Window XP and Jboss 6.1 > Reporter: Hrishi Salvi > Assignee: Derek Horton > Fix For: Negotiation_2_2_8, Negotiation_2_3_0_CR2 > > > We are trying to configure the single sign on using jboss negotiation. > We are able to login successfully if the user is present in active directory. > But in case if user is not present in active directory users, it throw 401 error page. > Instead of 401 we want user to access login form and authenticate user using different login module. > In our case we have login page we authenticate user on that page. > If we receive user credentials we login the user without asking for password. > Now if the user credentials are not received then we want user to open login form present > on login page, but before that is throws 401 error. > We have configure the login-config.xml, web.xml and jboss-web.xml as per the documentation. > Also defined > <web-resource-collection> > <web-resource-name>Restricted</web-resource-name> > <url-pattern>/Request</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > in web.xml > Our application is access through Request servlet. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

10 years, 5 months

1
0
0 / 0

[JBoss JIRA] (SECURITY-722) SPNEGO-fallback-to-FORM authentication does not work with httpd+JBossEAP6 if SPNEGO not available

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/SECURITY-722?page=com.atlassian.jira.plug... ] Darran Lofthouse updated SECURITY-722: -------------------------------------- Fix Version/s: Negotiation_2_2_8 > SPNEGO-fallback-to-FORM authentication does not work with httpd+JBossEAP6 if SPNEGO not available > ------------------------------------------------------------------------------------------------- > > Key: SECURITY-722 > URL: https://issues.jboss.org/browse/SECURITY-722 > Project: PicketBox > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Negotiation > Affects Versions: Negotiation_2_2_1 > Environment: RHEL6, JBoss EAP 6 > Reporter: flame liu > Assignee: Derek Horton > Fix For: Negotiation_2_2_8, Negotiation_2_3_0_CR2 > > > I configured SPNEGO in EAP6. It works well both with EAP only and EAP6 + Apache httpd(mod_proxy). Users just run kinit and will be able to be successfully authenticated. > After that, I added the fallback-to-form files/configurations both in the web app and standalone-full.xml. The fallback-to-form works only if httpd stops. If httpd starts, 401 error will always be thrown out. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

10 years, 5 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira April 2014