[jboss-jira] [JBoss JIRA] (WFLY-9251) Security context is not thread safe

Rémy Delerue (JIRA) issues at jboss.org
Fri Sep 1 05:09:03 EDT 2017 

    [ https://issues.jboss.org/browse/WFLY-9251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13457396#comment-13457396 ] 

Rémy Delerue commented on WFLY-9251:
------------------------------------

Hello Tomaz,

Thank you for your answer.
I'm working with Charles and I'm assigned to this task.

We reproduce our issue with wildfly-11.0.0.Beta1 and wildfly-11.0.0.CR1.

But there's something noticeable:
* with wildfly-10.1.0.Final: {failed_count: 103, shots_count: 1000, succeeded_count: 897}
* with wildfly-11.0.0.Beta1: {failed_count: 2, shots_count: 1000, succeeded_count: 998}
* with wildfly-11.0.0.CR1: {failed_count: 4, shots_count: 1000, succeeded_count: 996}

What do you think about that?

Regards,
Rémy.

(In attachment, the script I used to reproduce the issue. [^wildfly-auth-overloader.js])

> Security context is not thread safe
> -----------------------------------
>
>                 Key: WFLY-9251
>                 URL: https://issues.jboss.org/browse/WFLY-9251
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 10.1.0.Final
>         Environment: Windows, LInux
>            Reporter: charles ghislain
>            Assignee: Darran Lofthouse
>              Labels: jaas, security, security-context, thread-safety, threads
>         Attachments: wildfly-auth-overloader.js, wildflytestauthcontext-2.zip, wildflytestauthcontext.zip
>
>
> Using a custom JAAS login module, we sometimes fail to obtain the authenticated subject from the 'javax.security.auth.Subject.container' policy context. This appear to be related to the worker threads. 
> See the reproduction steps below. When a wildfly instance attempts to authenticate 500 requests coming simultaneously, a bunch of them fail. If you configure wildfly to only use a single worker thread and a single task thread, this issue disappears.
> The issue is as follow:
> I login using HttpServletRequest#login.
> Right after that, login.getUserPrincipal return the correct principal.
> However, sometimes, PolicyContext.getContext("javax.security.auth.Subject.container") returns null. Right after the login.
> In our production app, PolicyContext.getContext("javax.security.auth.Subject.container") returns null during some EJB call, throwing random exceptions from various parts of the application. 



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list