[jboss-jira] [JBoss JIRA] (WFLY-9251) Security context is not thread safe
Rémy Delerue (JIRA)
issues at jboss.org
Tue Sep 12 09:36:02 EDT 2017
[ https://issues.jboss.org/browse/WFLY-9251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13462784#comment-13462784 ]
Rémy Delerue edited comment on WFLY-9251 at 9/12/17 9:35 AM:
-------------------------------------------------------------
We disabled _ClientLoginModule_ and the issue seams to be resolved.
We think the following configuration is wrong:
{code:xml}
<security-domain name="TestSecurityDomain" cache-type="default">
<authentication>
<login-module code="be.test.TestLoginModule" flag="required"/>
<login-module code="org.jboss.security.ClientLoginModule" flag="optional"/>
</authentication>
</security-domain>
{code}
According to [wiki/ClientLoginModule|https://developer.jboss.org/wiki/ClientLoginModule], you can't have a _ClientLoginModule_ and the actual authentication module in the same security domain. We disabled our _ClientLoginModule_ and things seams better with good performances (that wasn't the case without the cache or with _synchronized_ blocks we tested out).
We'll enable it back if we really need it.
was (Author: clivia):
We disabled _ClientLoginModule_ and the issue seams to be resolved.
We think the following configuration is wrong:
<security-domain name="TestSecurityDomain" cache-type="default">
<authentication>
<login-module code="be.test.TestLoginModule" flag="required"/>
<login-module code="org.jboss.security.ClientLoginModule" flag="optional"/>
</authentication>
</security-domain>
According to [wiki/ClientLoginModule|https://developer.jboss.org/wiki/ClientLoginModule], you can't have _ClientLoginModule_ and the actual authentication module in the same security domain. We disabled _ClientLoginModule_ and thinks seams better with good performances (that wasn't the case without the cache or with _synchronized_ blocks we tested out).
We'll enable it back if we really need it.
> Security context is not thread safe
> -----------------------------------
>
> Key: WFLY-9251
> URL: https://issues.jboss.org/browse/WFLY-9251
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 10.1.0.Final
> Environment: Windows, LInux
> Reporter: charles ghislain
> Assignee: Darran Lofthouse
> Labels: jaas, security, security-context, thread-safety, threads
> Attachments: wildfly-auth-overloader.js, wildflytestauthcontext-2.zip, wildflytestauthcontext.zip
>
>
> Using a custom JAAS login module, we sometimes fail to obtain the authenticated subject from the 'javax.security.auth.Subject.container' policy context. This appear to be related to the worker threads.
> See the reproduction steps below. When a wildfly instance attempts to authenticate 500 requests coming simultaneously, a bunch of them fail. If you configure wildfly to only use a single worker thread and a single task thread, this issue disappears.
> The issue is as follow:
> I login using HttpServletRequest#login.
> Right after that, login.getUserPrincipal return the correct principal.
> However, sometimes, PolicyContext.getContext("javax.security.auth.Subject.container") returns null. Right after the login.
> In our production app, PolicyContext.getContext("javax.security.auth.Subject.container") returns null during some EJB call, throwing random exceptions from various parts of the application.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list