LoginContext exception crashes application
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: JBossAS-4.0.4.GA
Environment: Linux. I have two linux servers with JBoss installed running in
clustered mode and two servers with Tomcat 5.23 running in load-balancing mode(not
I have replicated the problem on windows with a jboss and tomcat running independently.
Reporter: Christos Nicolaou
Assigned To: Scott M Stark
The problem occurs when I the LoginContext is initialized and logged in, and I try to call
the server. At this point the call fails(wrong credentials) and I do not logout the
context. After this any call coming to the tomcat server from any browser running on other
machines gives a security exception in JBoss. In the JBoss log it I can see the JBoss
ServerLoginModule saying "Bad Password given for username=a" where 'a'
is the user with the invalid credentials from the previous call.
In case the LoginContext is logged out in case of an exception everything works out fine.
However, since what I described above means that the web-server picks up a LoginContext
belonging to a different session this worries me a lot.
This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see: http://www.atlassian.com/software/jira