[jboss-jira] [JBoss JIRA] (SECURITY-868) Multithread issue when validate with cached hased password + nonce credential info from JBossCachedAuthenticationManager

RH Bugzilla Integration (JIRA) issues at jboss.org
Mon Jan 12 06:03:49 EST 2015 

     [ https://issues.jboss.org/browse/SECURITY-868?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

RH Bugzilla Integration updated SECURITY-868:
---------------------------------------------
    Bugzilla References: https://bugzilla.redhat.com/show_bug.cgi?id=1173492, https://bugzilla.redhat.com/show_bug.cgi?id=1181084  (was: https://bugzilla.redhat.com/show_bug.cgi?id=1173492)


> Multithread issue when validate with cached hased password + nonce credential  info from JBossCachedAuthenticationManager 
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-868
>                 URL: https://issues.jboss.org/browse/SECURITY-868
>             Project: PicketBox 
>          Issue Type: Task
>          Components: PicketBox
>            Reporter: Jim Ma
>            Assignee: Stefan Guilhen
>             Fix For: PicketBox_4_9_0.Beta3
>
>
> When the new security domain is configured with catch-type=default in standalone.xml, the validated credential will be put in the JBossCachedAuthenticationManager with principal and domaininfo value pair. In multithread environment, a new validated credential can overwrite the previous thread cached domain info. This will cause even in the same thread , the cached authentication info could not work. For example if one user login with username , password and nonce in two threads : thread A and thread B ;thread A caches the validated credential(hased password +nonce) in JBossCachedAuthenticationMessager,  thread B does the authentication, then caches the validated credential (hashed password + nonce) , even it's the same user and passoword, the credential is different because the nonce is diffrent. So the new credential created in thread B will overwrite the previous value created by thread A . So in thread A,  the cached validation info won't work and following validation with cached credential will all fail. 



--
This message was sent by Atlassian JIRA
(v6.3.11#6341)

More information about the jboss-jira mailing list