]
William Newman commented on JBAS-2820:
--------------------------------------
I am seeing this problem in 4.2.2.GA.
ClientLoginModule improperly clears SecurityAssociation stack in
logout()
-------------------------------------------------------------------------
Key: JBAS-2820
URL:
https://jira.jboss.org/jira/browse/JBAS-2820
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.4RC1
Reporter: Luigi Putanesca
Assignee: Scott M Stark
Priority: Critical
Fix For: JBossAS-3.2.8.SP1, JBossAS-4.0.4.CR2, JBossAS-5.0.0.Beta1
I found a problem with how the ClientLoginModule handles the SecurityAssociation stack.
The problem appears under the following conditions:
1. restoreloginidentity = true
2. method calls are made through session bean interfaces. (this causes the stack to be
pushed and later popped).
3. there are multiple logins before a logout.
Summary:
Basically what happens is I login a user, call a session bean, login a second user,
logout the second user, exit the session bean and expect to revert to original user. The
original user should still be logged in but it isn't. The problem is this: the
ClientLoginModule.logout() method always clears the SecurityAssociation stack and then
restores the login identity by logging in again. This leaves stack out of sync and when
the session bean call exits, the stack is popped again and the user removed when it really
should still be there.
Here is a sequence of what happens with the stack during my scenario:
1. Starting point. (Stack.size = 0)
2. Login 1st user.User is set to SecurityAssociation and pushed to stack. (Stack.size =
1)
3. Make call to session bean. User is pushed to stack again by AuthenticationInterceptor.
(Stack.size = 2)
4. Login 2nd user. User is set to SecurityAssociation and pushed to stack. (Stack.size =
3)
5. Logout 2nd user. Stack is cleared. (Stack.size = 0) (THIS IS THE PROBLEM)
6. 1st user is reset to SecurityAssociation and pushed to stack by the ClientLoginModule.
(Stack.size = 1)
7. exit call to session bean. 1st User is popped from stack by AuthenticationInterceptor.
(Stack.size = 0)
8. No user is logged in.
What should be happening is in Step 5, the stack should be popped not cleared. The end
result in Step 8 should be one user in the stack. The only way I should end up with an
empty stack is if I call logout again, which I didn't.
Here is the fix I put into the ClientLoginModule:
public boolean abort() throws LoginException {
/* Changed here. Only clear if not restoring identity. */
if (restoreLoginIdentity) {
SecurityAssociation.popSubjectContext();
}
else {
SecurityAssociation.clear();
}
return true;
}
public boolean logout() throws LoginException {
/* Changed here. Only clear if not restoring identity. */
if (restoreLoginIdentity) {
SecurityAssociation.popSubjectContext();
}
else {
SecurityAssociation.clear();
}
Set principals = subject.getPrincipals();
principals.remove(loginPrincipal);
return true;
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: