[JBoss JIRA] (WFLY-9251) Security context is not thread safe

Tuesday, 12 September 2017

    [
https://issues.jboss.org/browse/WFLY-9251?page=com.atlassian.jira.plugin....
] 

Rémy Delerue edited comment on WFLY-9251 at 9/12/17 9:36 AM:
-------------------------------------------------------------

We disabled _ClientLoginModule_ and the issue seams to be resolved.

We think the following configuration is wrong:
{code:xml}
<security-domain name="TestSecurityDomain"
cache-type="default">
    <authentication>
        <login-module code="be.test.TestLoginModule"
flag="required"/>
        <login-module code="org.jboss.security.ClientLoginModule"
flag="optional"/>
    </authentication>
</security-domain>
{code}

According to [wiki/ClientLoginModule|https://developer.jboss.org/wiki/ClientLoginModule],
you can't have a _ClientLoginModule_ and the actual authentication module in the same
security domain. We disabled our _ClientLoginModule_ and things seams better with good
performances (that wasn't the case without the cache or with _synchronized_ blocks we
tested out).
We'll enable it back if we really need it.

was (Author: clivia):
We disabled _ClientLoginModule_ and the issue seams to be resolved.

We think the following configuration is wrong:
{code:xml}
                <security-domain name="TestSecurityDomain"
cache-type="default">
                    <authentication>
                        <login-module code="be.test.TestLoginModule"
flag="required"/>
                        <login-module
code="org.jboss.security.ClientLoginModule" flag="optional"/>
                    </authentication>
                </security-domain>
{code}

According to [wiki/ClientLoginModule|https://developer.jboss.org/wiki/ClientLoginModule],
you can't have a _ClientLoginModule_ and the actual authentication module in the same
security domain. We disabled our _ClientLoginModule_ and things seams better with good
performances (that wasn't the case without the cache or with _synchronized_ blocks we
tested out).
We'll enable it back if we really need it.

...
 Security context is not thread safe
 -----------------------------------

                 Key: WFLY-9251
                 URL: https://issues.jboss.org/browse/WFLY-9251
             Project: WildFly
          Issue Type: Bug
          Components: Security
    Affects Versions: 10.1.0.Final
         Environment: Windows, LInux
            Reporter: charles ghislain
            Assignee: Darran Lofthouse
              Labels: jaas, security, security-context, thread-safety, threads
         Attachments: wildfly-auth-overloader.js, wildflytestauthcontext-2.zip,
wildflytestauthcontext.zip

 Using a custom JAAS login module, we sometimes fail to obtain the authenticated subject
from the 'javax.security.auth.Subject.container' policy context. This appear to be
related to the worker threads. 
 See the reproduction steps below. When a wildfly instance attempts to authenticate 500
requests coming simultaneously, a bunch of them fail. If you configure wildfly to only use
a single worker thread and a single task thread, this issue disappears.
 The issue is as follow:
 I login using HttpServletRequest#login.
 Right after that, login.getUserPrincipal return the correct principal.
 However, sometimes,
PolicyContext.getContext("javax.security.auth.Subject.container") returns null.
Right after the login.
 In our production app,
PolicyContext.getContext("javax.security.auth.Subject.container") returns null
during some EJB call, throwing random exceptions from various parts of the application. 

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006