[jboss-jira] [JBoss JIRA] (SECURITY-868) Multithread issue when validate with cached hased password + nonce credential info from JBossCachedAuthenticationManager

RH Bugzilla Integration (JIRA) issues at jboss.org
Fri Oct 30 14:30:00 EDT 2015 

    [ https://issues.jboss.org/browse/SECURITY-868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13123959#comment-13123959 ] 

RH Bugzilla Integration commented on SECURITY-868:
--------------------------------------------------

Vladimir Dosoudil <dosoudil at redhat.com> changed the Status of [bug 1219778|https://bugzilla.redhat.com/show_bug.cgi?id=1219778] from MODIFIED to ON_QA

> Multithread issue when validate with cached hased password + nonce credential  info from JBossCachedAuthenticationManager 
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-868
>                 URL: https://issues.jboss.org/browse/SECURITY-868
>             Project: PicketBox 
>          Issue Type: Task
>          Components: PicketBox
>            Reporter: Jim Ma
>            Assignee: Stefan Guilhen
>             Fix For: PicketBox_4_9_0.Final
>
>         Attachments: stacktraces.log
>
>
> When the new security domain is configured with catch-type=default in standalone.xml, the validated credential will be put in the JBossCachedAuthenticationManager with principal and domaininfo value pair. In multithread environment, a new validated credential can overwrite the previous thread cached domain info. This will cause even in the same thread , the cached authentication info could not work. For example if one user login with username , password and nonce in two threads : thread A and thread B ;thread A caches the validated credential(hased password +nonce) in JBossCachedAuthenticationMessager,  thread B does the authentication, then caches the validated credential (hashed password + nonce) , even it's the same user and passoword, the credential is different because the nonce is diffrent. So the new credential created in thread B will overwrite the previous value created by thread A . So in thread A,  the cached validation info won't work and following validation with cached credential will all fail. 



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list