[jboss-jira] [JBoss JIRA] Commented: (SECURITY-415) ClientLoginModule multi-threaded=false should make SecurityContext client side association

Stefan Guilhen (JIRA) jira-events at lists.jboss.org
Wed Jul 1 11:17:51 EDT 2009 

    [ https://jira.jboss.org/jira/browse/SECURITY-415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12474471#action_12474471 ] 

Stefan Guilhen commented on SECURITY-415:
-----------------------------------------

Calling SecurityAssociationContext.setClient() causes many problems when the ClientLoginModule is used on the server side. Consider the ClientLoginModuleEJBUnitCase, where the test calls a bean and this bean performs a login() using the ClientLoginModule. As the multi-threaded property was not set, the module calls setClient() on SecurityContextAssociation, causing all server threads to use the *same* static variable to hold the security contexts. Of course this leads to a huge security flaw.

In my opinion we should not use any variables to differentiate between server and client usage. I think we should have different classes, perhaps different login modules - a ServerLoginModule that never changes the way SecurityContextAssociation works. If we are to use the same module, then we would need separate SecurityContextAssociation implementations - a server side one that stores all contexts in ThreadLocal variables, and a client-side one that offers a vm-wide association of security context via a static variable. In this approach, calling setClient() on the server-side implementation would cause no effects.

> ClientLoginModule multi-threaded=false should make SecurityContext client side association
> ------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-415
>                 URL: https://jira.jboss.org/jira/browse/SECURITY-415
>             Project: JBoss Security and Identity Management
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: JBossSX
>    Affects Versions: JBossSecurity_2.0.3.SP1
>            Reporter: Anil Saldhana
>            Assignee: Anil Saldhana
>             Fix For: JBossSecurity_2.0.3.SP2
>
>
> The ClientLoginModule multi-threaded=false option when missing, should set SecurityContextAssociation.setClient()

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list