[jboss-jira] [JBoss JIRA] (SECURITY-868) Multithread issue when validate with cached hased password + nonce credential info from JBossCachedAuthenticationManager

Stefan Guilhen (JIRA) issues at jboss.org
Fri May 22 16:31:19 EDT 2015 

    [ https://issues.jboss.org/browse/SECURITY-868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13070553#comment-13070553 ] 

Stefan Guilhen commented on SECURITY-868:
-----------------------------------------

Yeah, that is a good question. I have recently submitted a pull request for a JASPIC issue to avoid unnecessary reauthentication of the user if the security context that is coming from the Web layer already contains an authenticated subject and if both contexts use the same security domain.

That is, after the Web has authenticated the user, a security context is created and the authenticated subject is set in this context. When the call reaches the EJB layer, the SecurityContextInterceptor sets up a new context and pretty much ignores everything that was done in the Web layer. I have changed this so that the SimpleSecurityManager checks now if the incoming context already contains an authenticated Subject. If it does and if both layers use the same security domain (of course, if the EJB app wants to use a different domain we must authenticate against that domain) then SimpleSecurityManager doesn't trigger a new authentication and instead trusts the authenticated subject.

It might be worth checking if this is applicable in this case. I'm not familiar with JBossWS but it might be possible that the same thing is happening here, no? If I'm not mistaken, my PR was merged to branch 9.x, so building a WF9 from sources should be enough to verify if this fix helps or not.

> Multithread issue when validate with cached hased password + nonce credential  info from JBossCachedAuthenticationManager 
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-868
>                 URL: https://issues.jboss.org/browse/SECURITY-868
>             Project: PicketBox 
>          Issue Type: Task
>          Components: PicketBox
>            Reporter: Jim Ma
>            Assignee: Stefan Guilhen
>             Fix For: PicketBox_4_9_0.Final
>
>         Attachments: stacktraces.log
>
>
> When the new security domain is configured with catch-type=default in standalone.xml, the validated credential will be put in the JBossCachedAuthenticationManager with principal and domaininfo value pair. In multithread environment, a new validated credential can overwrite the previous thread cached domain info. This will cause even in the same thread , the cached authentication info could not work. For example if one user login with username , password and nonce in two threads : thread A and thread B ;thread A caches the validated credential(hased password +nonce) in JBossCachedAuthenticationMessager,  thread B does the authentication, then caches the validated credential (hashed password + nonce) , even it's the same user and passoword, the credential is different because the nonce is diffrent. So the new credential created in thread B will overwrite the previous value created by thread A . So in thread A,  the cached validation info won't work and following validation with cached credential will all fail. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the jboss-jira mailing list