[jboss-jira] [JBoss JIRA] Resolved: (SECURITY-339) ClientLoginModule improperly handles SecurityAssociation stack in abort()
[
https://jira.jboss.org/jira/browse/SECURITY-339?page=com.atlassian.jira.p...
]
Anil Saldhana resolved SECURITY-339.
------------------------------------
Resolution: Done
ClientLoginModule improperly handles SecurityAssociation stack in
abort()
-------------------------------------------------------------------------
Key: SECURITY-339
URL: https://jira.jboss.org/jira/browse/SECURITY-339
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: JBossSX
Reporter: Marco Schulze
Assignee: Anil Saldhana
Fix For: JBossSecurity_2.0.4
The abort() method calls SecurityAssociationActions.popPrincipalInfo() even though the
corresponding push happens in commit() [via
SecurityAssociationActions.setPrincipalInfo(loginPrincipal, loginCredential, subject)].
That means, whenever a login fails, the commit is not called (thus nothing pushed), but
the abort pops out an element from the stack. This should not be done. IMHO the abort()
method should look like this:
public boolean abort() throws LoginException
{
if( trace )
log.trace("abort");
if( restoreLoginIdentity == false )
{
// Clear the entire security association stack
SecurityAssociationActions.clear();
}
return true;
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira