[jboss-jira] [JBoss JIRA] (WFLY-4602) HttpServletRequest#logout doesn't fully clear security context
Brian Stansberry (JIRA)
issues at jboss.org
Mon May 18 13:48:21 EDT 2015
[ https://issues.jboss.org/browse/WFLY-4602?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Stansberry updated WFLY-4602:
-----------------------------------
Fix Version/s: 10.0.0.Alpha1
> HttpServletRequest#logout doesn't fully clear security context
> --------------------------------------------------------------
>
> Key: WFLY-4602
> URL: https://issues.jboss.org/browse/WFLY-4602
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Affects Versions: 9.0.0.CR1
> Reporter: Arjan t
> Assignee: Stuart Douglas
> Labels: authentication, security, security-context
> Fix For: 9.0.0.CR2, 10.0.0.Alpha1
>
>
> After having authenticated (via JASPIC or otherwise), calling {{HttpServletRequest#logout}} and then requesting the caller/user principal (all within the same request), Undertow (via e.g. WildFly 8.2 or 9.0rc1) will correctly clear out the principal for the web context, but will NOT clear out the principal for the EJB context.
> The problem seems to be that {{io.undertow.security.impl.SecurityContextImpl.logout()}} doesn't do anything with the security context that is used by the EJB container among others.
> It now just contains the following:
> {code:java}
> this.account = null;
> this.mechanismName = null;
> this.authenticationState = AuthenticationState.NOT_ATTEMPTED;
> {code}
> Added the following code just before this seems to work:
> {code:java}
> // Clear old context
> SecurityContextAssociation.clearSecurityContext();
> SecurityRolesAssociation.setSecurityRoles(null);
>
> // Set a new one in case re-authentication is done within the same thread
> SecurityContext securityContext = SecurityContextFactory.createSecurityContext("other");
> exchange.putAttachment(SECURITY_CONTEXT_ATTACHMENT, securityContext);
> SecurityContextAssociation.setSecurityContext(securityContext);
> // (existing clearing code)
> this.account = null;
> this.mechanismName = null;
> this.authenticationState = AuthenticationState.NOT_ATTEMPTED;
> {code}
> Do note that this code uses the hardcoded domain "other". Except by using reflection I couldn't obtain the actual domain name at this point. The reflective code I used was:
> {code:java}
> String securityDomain = "other";
> if (identityManager instanceof JAASIdentityManagerImpl) {
> try {
> Field securityDomainContextField = JAASIdentityManagerImpl.class.getDeclaredField("securityDomainContext");
> securityDomainContextField.setAccessible(true);
> SecurityDomainContext securityDomainContext = (SecurityDomainContext) securityDomainContextField.get(identityManager);
> securityDomain = securityDomainContext.getAuthenticationManager().getSecurityDomain();
> } catch (NoSuchFieldException | SecurityException | IllegalArgumentException | IllegalAccessException e) {
> logger.log(Level.SEVERE, "Can't obtain name of security domain, using 'other' now", e);
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
More information about the jboss-jira
mailing list