]
Anil Saldhana closed SECURITY-22.
---------------------------------
Resolution: Rejected
Concurrency bug in JaasSecurityManager
--------------------------------------
Key: SECURITY-22
URL:
http://jira.jboss.com/jira/browse/SECURITY-22
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: JBossSX
Affects Versions: 1.x
Reporter: Alex Besogonov
Assigned To: Anil Saldhana
Fix For: 2.0.GA
JaasSecurityManager$DomainInfo.destroy calls logout() when cached entry expires, even
while it is used by another thread.
Suppose we have two threads:
Thread 1:
1. 'User1' authentication
2. 'User1' is added to auth cache
3. Doing some lengthy operation
4. Checking roles of User1 - WILL FAIL, another thread has called logout()!
Thread 2 (when Thread1 is doing 'some lengthy operation' ):
1. 'User1' logs in.
2. Auth cache entry has expired.
3. Calling .logout() on stale entry
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: