[jboss-jira] [JBoss JIRA] Created: (SECURITY-22) Concurrency bug in JaasSecurityManager
Alex Besogonov (JIRA)
jira-events at jboss.com
Tue Nov 28 00:38:56 EST 2006
Concurrency bug in JaasSecurityManager
--------------------------------------
Key: SECURITY-22
URL: http://jira.jboss.com/jira/browse/SECURITY-22
Project: JBoss Security
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: JBossSX
Affects Versions: 2.0
Reporter: Alex Besogonov
Assigned To: Anil Saldhana
JaasSecurityManager$DomainInfo.destroy calls logout() when cached entry expires, even while it is used by another thread.
Suppose we have two threads:
Thread 1:
1. 'User1' authentication
2. 'User1' is added to auth cache
3. Doing some lengthy operation
4. Checking roles of User1 - WILL FAIL, another thread has called logout()!
Thread 2 (when Thread1 is doing 'some lengthy operation' ):
1. 'User1' logs in.
2. Auth cache entry has expired.
3. Calling .logout() on stale entry
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list