]
RH Bugzilla Integration commented on SECURITY-882:
--------------------------------------------------
Vladimir Dosoudil <dosoudil(a)redhat.com> changed the Status of [bug
Fix for SECURITY-868 breaks flush-cache capability
--------------------------------------------------
Key: SECURITY-882
URL:
https://issues.jboss.org/browse/SECURITY-882
Project: PicketBox
Issue Type: Bug
Components: AS-Integration
Affects Versions: PicketBox_4_0_19.Final
Environment: EAP 6.3.3, JDV 6.1.0
Reporter: Hisanobu Okuda
Assignee: Stefan Guilhen
The member field ThreadLocal<CompoundInfo> validatedDomainInfo was introduced for
the fix of SECURITY-868. When you are authenticated, a valid security info is stored in
the field thread-locally. Then, you flushes the JAAS cache via CLI or API in another
thread, org.jboss.security.authentication.JBossCachedAuthenticationManager.flushCache() is
invoked, but validatedDomainInfo is not flushed properly, since it is ThreadLocal. As a
result, a cached security info is re-used unexpectedly.