[jboss-jira] [JBoss JIRA] Reopened: (JBAS-8534) Security Credential is shared between threads

Jason Greene (JIRA) jira-events at lists.jboss.org
Thu Apr 21 14:26:58 EDT 2011 

     [ https://issues.jboss.org/browse/JBAS-8534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jason Greene reopened JBAS-8534:
--------------------------------



Due to feedback from the community, I have split the AS7 and AS6 projects and reopened all unscheduled AS6 issues that are a year or less old. This will make it easier community members to find and work on them.

Future releases beyond 6.1 can be done provided a community member steps up to coordinate them.

> Security Credential is shared between threads
> ---------------------------------------------
>
>                 Key: JBAS-8534
>                 URL: https://issues.jboss.org/browse/JBAS-8534
>             Project: Legacy JBoss Application Server 6 
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-4.2.3.GA
>         Environment: JBOSS AS 4.2.3 on Linux
>            Reporter: Rajesh Bhabu
>            Assignee: Anil Saldhana
>             Fix For: No Release
>
>
> Because of the Anonymous issue as reported in https://jira.jboss.org/browse/JBAS-3945, we  did coding something similar as following to workaround the issue. This was suggested by the JBOSS support team.
> ---------------------------------------------------------------------------------------------
> When we are changing the principal (performing another login) we need to call
> these Jboss APIs in our login module:
> SecurityAssociation.popRunAsRole()
> SecurityAssociation.pushRunAsRole()
> This will pop the old run-as role and push the new run as role (which we want
> the second transaction to run as).
> Change the JAAS login module to explicitly set the new principal and
> credentials during login. This was after the callback handler handle method
> was invoked and we had the principal and credentials:
> SecurityAssociation.setPrincipal(new SimplePrincipal(username));
> SecurityAssociation.setCredential(password);
> --------------------------------------------------------------------------------------------------------------------------
> After doing this, we started seeing priniciple is shared amoung the threads. For example, user 1 logs in and see's information about user 2. This happens only after heavy load testing. This is also reproducible after couple of hours of running load test.
> If we remove the above code, then the issue goes away. But anonymous issue appears.
> Any Help is appreciated in helping finding the root cause of the issue.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list