[jboss-jira] [JBoss JIRA] Commented: (SECURITY-237) Create different implementation of JaasSecurityManager

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Thu Jun 12 15:45:33 EDT 2008 

    [ http://jira.jboss.com/jira/browse/SECURITY-237?page=comments#action_12416881 ] 
            
Anil Saldhana commented on SECURITY-237:
----------------------------------------

It should be noted that the current JaasSecurityManager doing a jaas logout during the cache entry removal is going to be a problem only if user codebase depends on some logic that is embedded in the logout() methods of their JAAS login modules.  If there is no real code in the logout methods of login modules, there is no need to move to a different implementation of the JSM (that Marcus is talking about).

> Create different implementation of JaasSecurityManager
> ------------------------------------------------------
>
>                 Key: SECURITY-237
>                 URL: http://jira.jboss.com/jira/browse/SECURITY-237
>             Project: JBoss Security and Identity Management
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: JBossSX
>    Affects Versions: 2.0.2.CR3
>            Reporter: Marcus Moyses
>         Assigned To: Marcus Moyses
>             Fix For: 2.0.2.GA
>
>
> The current implementation of the JaasSecurityManager could lead to a problem where multiple threads try to authenticate concurrently.
> Both threads would try to validate the principal in the cache and fail (as the principal has not logged in yet) and proceed to authentication. The first threads authenticates the principal, but the second one removes that entry from the cache (causing a logout) and authenticates the principal again.
> One solution is to make cache validation and authentication an atomic operation, synchronized on the principal's name.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list