[jboss-jira] [JBoss JIRA] (SECURITY-905) Add protection of our GSSCredential added by the KerberosLoginModule
RH Bugzilla Integration (JIRA)
issues at jboss.org
Fri Sep 25 04:40:00 EDT 2015
[ https://issues.jboss.org/browse/SECURITY-905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13112413#comment-13112413 ]
RH Bugzilla Integration commented on SECURITY-905:
--------------------------------------------------
Martin Simka <msimka at redhat.com> changed the Status of [bug 1097276|https://bugzilla.redhat.com/show_bug.cgi?id=1097276] from ON_QA to VERIFIED
> Add protection of our GSSCredential added by the KerberosLoginModule
> --------------------------------------------------------------------
>
> Key: SECURITY-905
> URL: https://issues.jboss.org/browse/SECURITY-905
> Project: PicketBox
> Issue Type: Task
> Components: Negotiation
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: Negotiation_2_3_8_Beta1
>
>
> GSSManager implementation can have an optimisation that attempts to obtain the GSSCredential from the private credentials in the Subject, in some situations such as JDBC drivers this can mean that a driver gets direct access to the credential we are supposed to be managing the lifecycle of.
> The optimisation is based on checking if it is an instance of GSSCredentialImpl - if not then GSSManager creates a new instance.
> This Jira issue is to wrap the instance we place in the Subject to prevent the optimisation kicking in. This then means code using the credential such as a JDBC driver is free to do what it wants with it's own credential without impacting on ours.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list