[jboss-jira] [JBoss JIRA] (SECURITY-868) Multithread issues when validate with cached password + nonce credential info from JBossCachedAuthenticationManager

[Jim Ma (JIRA)]

Jim Ma created SECURITY-868:
-------------------------------

             Summary: Multithread issues when validate with cached password + nonce credential  info from JBossCachedAuthenticationManager 
                 Key: SECURITY-868
                 URL: https://issues.jboss.org/browse/SECURITY-868
             Project: PicketBox 
          Issue Type: Task
          Components: PicketBox
            Reporter: Jim Ma
            Assignee: Stefan Guilhen


When the new security domain is configured with catch-type=default in standalone.xml, the validated credential will be put in the JBossCachedAuthenticationManager with principal and domaininfo value pair. In multithread environment, a new validated credential can overwrite the previous thread cached domain info. This will cause even in the same thread , the cached authentication info could not work. For example if one user login with username , password and nonce in two threads : thread A and thread B ;thread A caches the validated credential(hased password +nonce) in JBossCachedAuthenticationMessager,  thread B does the authentication, then caches the validated credential (hashed password + nonce) , even it's the same user and passoword, the credential is different because the nonce is diffrent. So the new credential created in thread B will overwrite the previous value created by thread A . So in thread A,  the cached validation info won't work and following validation with cached credential will all fail. 



--
This message was sent by Atlassian JIRA
(v6.3.8#6338)