[jboss-jira] [JBoss JIRA] Updated: (SECURITY-339) ClientLoginModule improperly handles SecurityAssociation stack in abort()
Anil Saldhana (JIRA)
jira-events at lists.jboss.org
Wed Jun 17 11:44:56 EDT 2009
[ https://jira.jboss.org/jira/browse/SECURITY-339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Anil Saldhana updated SECURITY-339:
-----------------------------------
Component/s: JBossSX
Fix Version/s: JBossSecurity_2.0.4
> ClientLoginModule improperly handles SecurityAssociation stack in abort()
> -------------------------------------------------------------------------
>
> Key: SECURITY-339
> URL: https://jira.jboss.org/jira/browse/SECURITY-339
> Project: JBoss Security and Identity Management
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: JBossSX
> Reporter: Marco Schulze
> Assignee: Anil Saldhana
> Fix For: JBossSecurity_2.0.4
>
>
> The abort() method calls SecurityAssociationActions.popPrincipalInfo() even though the corresponding push happens in commit() [via SecurityAssociationActions.setPrincipalInfo(loginPrincipal, loginCredential, subject)]. That means, whenever a login fails, the commit is not called (thus nothing pushed), but the abort pops out an element from the stack. This should not be done. IMHO the abort() method should look like this:
> public boolean abort() throws LoginException
> {
> if( trace )
> log.trace("abort");
> if( restoreLoginIdentity == false )
> {
> // Clear the entire security association stack
> SecurityAssociationActions.clear();
> }
> return true;
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list