[ https://issues.redhat.com/browse/SECURITY-1006?page=com.atlassian.jira.pl... ] Hisanobu Okuda commented on SECURITY-1006: ------------------------------------------ Since initialize() is called in the constructor of JBossServerAuthContext: {code} 61 public JBossServerAuthContext(List<ServerAuthModule> modules, 62 Map<String,Map> moduleNameToOptions, CallbackHandler cbh) throws AuthException 63 { 64 this.modules = modules; 65 this.moduleOptionsByName = moduleNameToOptions; 66 for(ServerAuthModule sam:modules) 67 { 68 sam.initialize(null, null, cbh, 69 moduleOptionsByName.get(sam.getClass().getName())); 70 } 71 } {code} There is no need to call it in JBossServerAuthConfig.getAuthContext() {code} 126 if(bai instanceof AuthenticationInfo) 127 { 128 //Need to get a wrapper 129 ServerAuthModule sam = new DelegatingServerAuthModule(); 130 Map options = new HashMap(); 131 options.put("javax.security.auth.login.LoginContext", secDomain); //Name of sec domain 132 sam.initialize(null, null, this.callbackHandler, options); <== NOT NEEDED 133 modules.add(sam); 134 } 135 else 136 { 137 JASPIAuthenticationInfo jai = (JASPIAuthenticationInfo)bai; 138 AuthModuleEntry[] amearr = jai.getAuthModuleEntry(); 139 140 // establish the module classloader if a jboss-module has been specified. 141 ClassLoader moduleCL = null; 142 List<String> jbossModuleNames = jai.getJBossModuleNames(); 143 if (!jbossModuleNames.isEmpty()) 144 { 145 ClassLoaderLocator locator = ClassLoaderLocatorFactory.get(); 146 if (locator != null) 147 moduleCL = locator.get(jbossModuleNames); 148 } 149 150 for(AuthModuleEntry ame: amearr) 151 { 152 if(ame.getLoginModuleStackHolderName() != null) 153 { 154 try 155 { 156 mapOptionsByName.put(ame.getAuthModuleName(), ame.getOptions()); 157 controlFlags.add(ame.getControlFlag()); 158 ServerAuthModule sam = this.createSAM(moduleCL, ame.getAuthModuleName(), 159 ame.getLoginModuleStackHolderName()); 160 161 Map options = new HashMap(); 162 163 options.putAll(ame.getOptions()); 164 sam.initialize(null, null, callbackHandler, options); <== NOT NEEDED 165 modules.add(sam); 166 } 167 catch (Exception e) 168 { 169 throw new AuthException(e.getLocalizedMessage()); 170 } 171 } 172 else 173 { 174 try 175 { 176 mapOptionsByName.put(ame.getAuthModuleName(), ame.getOptions()); 177 controlFlags.add(ame.getControlFlag()); 178 ServerAuthModule sam = this.createSAM(moduleCL, ame.getAuthModuleName()); 179 180 Map options = new HashMap(); 181 options.putAll(ame.getOptions()); 182 sam.initialize(null, null, callbackHandler, options); <== NOT NEEDED 183 modules.add(sam); 184 } {code} -- This message was sent by Atlassian Jira (v7.13.8#713008)