[jboss-jira] [JBoss JIRA] Commented: (JBAS-7822) Investigate race condition for security

Stefan Ries (JIRA) jira-events at lists.jboss.org
Mon Mar 29 06:05:38 EDT 2010 

    [ https://jira.jboss.org/jira/browse/JBAS-7822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12522513#action_12522513 ] 

Stefan Ries commented on JBAS-7822:
-----------------------------------

This issue happened because of a race-condition.
Each call to the server seems to push the current SecurityContext on a stack and restore after it returns. If a login and a another call happen at the same time, it might push the "null" context onto the stack before the login started and restore it after the login was completed. This way, the login was "undone". Same can happen during logout.

Solution:
If you use the LoginContext to login, set the "multi-threaded" flag of the loginContext to true.
If you use the SecurityClientFactory, use SecurityClient.setVmwideAssociation(false)

This way, every thread will have his own securityContext and thus needs to be logged in and out for itself.

> Investigate race condition for security
> ---------------------------------------
>
>                 Key: JBAS-7822
>                 URL: https://jira.jboss.org/jira/browse/JBAS-7822
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-5.0.0.GA
>         Environment: WinXP 64bit
>            Reporter: Stefan Ries
>            Assignee: Anil Saldhana
>
> I'm runnin several beans, let's call them A,B,C. They all run in the same security context. I'm using have a custom loginmodule and a custom principal.
> Bean A has the following method:
> public Principal getCurrentPrincipal() {
> 		if (log.isTraceEnabled()) {
> 			log.trace("getCurrentPrincipal() - start"); //$NON-NLS-1$
> 		}
> 		Principal returnPrincipal = sCtx.getCallerPrincipal();
> 		if (log.isTraceEnabled()) {
> 			log
> 					.trace("getCurrentPrincipal() - end - return value=" + returnPrincipal); //$NON-NLS-1$
> 		}
> 		return returnPrincipal;
> 	}
> My test runs 3 threads. 
> - Thread1: Fetches non-stop entities using bean B
> - Thread2: Fetches non-stop entities using bean C
> - Thread3:  Endless loop of:
> --Perform login
> --call BeanA.getCurrentPrincipal();
> --Compare principal name with login name
> --logout
> After running this several minutes, the name of the principal is "anonymous" (the unauthenticated principal). When disabeling Thread 1 and 2, the error does not occur.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list