[jboss-jira] [JBoss JIRA] (SECURITY-882) Fix for SECURITY-868 breaks flush-cache capability
Ivo Studensky (JIRA)
issues at jboss.org
Thu May 21 03:08:20 EDT 2015
[ https://issues.jboss.org/browse/SECURITY-882?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ivo Studensky resolved SECURITY-882.
------------------------------------
Resolution: Won't Fix
This is not any issue to fix. The original fix of SECURITY-868 is wrong and needs to be reverted and fixed another way.
> Fix for SECURITY-868 breaks flush-cache capability
> --------------------------------------------------
>
> Key: SECURITY-882
> URL: https://issues.jboss.org/browse/SECURITY-882
> Project: PicketBox
> Issue Type: Bug
> Components: AS-Integration
> Affects Versions: PicketBox_4_0_19.Final
> Environment: EAP 6.3.3, JDV 6.1.0
> Reporter: Hisanobu Okuda
> Assignee: Stefan Guilhen
>
> The member field ThreadLocal<CompoundInfo> validatedDomainInfo was introduced for the fix of SECURITY-868. When you are authenticated, a valid security info is stored in the field thread-locally. Then, you flushes the JAAS cache via CLI or API in another thread, org.jboss.security.authentication.JBossCachedAuthenticationManager.flushCache() is invoked, but validatedDomainInfo is not flushed properly, since it is ThreadLocal. As a result, a cached security info is re-used unexpectedly.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
More information about the jboss-jira
mailing list