[jboss-jira] [JBoss JIRA] Created: (JBAS-5034) LoginContext exception crashes application

[Christos Nicolaou (JIRA)]

LoginContext exception crashes application
------------------------------------------

                 Key: JBAS-5034
                 URL: http://jira.jboss.com/jira/browse/JBAS-5034
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Security
    Affects Versions: JBossAS-4.0.4.GA
         Environment: Linux. I have two linux servers with JBoss installed running in clustered mode and two servers with Tomcat 5.23 running in load-balancing mode(not clustered).
I have replicated the problem on windows with a jboss and tomcat running independently.
            Reporter: Christos Nicolaou
         Assigned To: Scott M Stark


The problem occurs when I the LoginContext is initialized and logged in, and I try to call the server. At this point the call fails(wrong credentials) and I do not logout the context. After this any call coming to the tomcat server from any browser running on other machines gives a security exception in JBoss. In the JBoss log it I can see the JBoss ServerLoginModule saying "Bad Password given for username=a" where 'a' is the user with the invalid credentials from the previous call.

In case the LoginContext is logged out in case of an exception everything works out fine. However, since what I described above means that the web-server picks up a LoginContext belonging to a different session this worries me a lot.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira