[jboss-jira] [JBoss JIRA] Reopened: (JBAS-8534) Security Credential is shared between threads

Security Credential is shared between threads --------------------------------------------- Key: JBAS-8534 URL: https://issues.jboss.org/browse/JBAS-8534 Project: Legacy JBoss Application Server 6 Issue Type: Bug Security Level: Public(Everyone can see) Components: Security Affects Versions: JBossAS-4.2.3.GA Environment: JBOSS AS 4.2.3 on Linux Reporter: Rajesh Bhabu Assignee: Anil Saldhana Fix For: No Release Because of the Anonymous issue as reported in https://jira.jboss.org/browse/JBAS-3945, we did coding something similar as following to workaround the issue. This was suggested by the JBOSS support team. --------------------------------------------------------------------------------------------- When we are changing the principal (performing another login) we need to call these Jboss APIs in our login module: SecurityAssociation.popRunAsRole() SecurityAssociation.pushRunAsRole() This will pop the old run-as role and push the new run as role (which we want the second transaction to run as). Change the JAAS login module to explicitly set the new principal and credentials during login. This was after the callback handler handle method was invoked and we had the principal and credentials: SecurityAssociation.setPrincipal(new SimplePrincipal(username)); SecurityAssociation.setCredential(password); -------------------------------------------------------------------------------------------------------------------------- After doing this, we started seeing priniciple is shared amoung the threads. For example, user 1 logs in and see's information about user 2. This happens only after heavy load testing. This is also reproducible after couple of hours of running load test. If we remove the above code, then the issue goes away. But anonymous issue appears. Any Help is appreciated in helping finding the root cause of the issue.