[jboss-jira] [JBoss JIRA] (SECURITY-1006) JASPIC module's initialize() is called multiple times
Hisanobu Okuda (Jira)
issues at jboss.org
Thu Feb 20 07:05:00 EST 2020
[ https://issues.redhat.com/browse/SECURITY-1006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13977483#comment-13977483 ]
Hisanobu Okuda commented on SECURITY-1006:
------------------------------------------
Since initialize() is called in the constructor of JBossServerAuthContext:
{code}
61 public JBossServerAuthContext(List<ServerAuthModule> modules,
62 Map<String,Map> moduleNameToOptions, CallbackHandler cbh) throws AuthException
63 {
64 this.modules = modules;
65 this.moduleOptionsByName = moduleNameToOptions;
66 for(ServerAuthModule sam:modules)
67 {
68 sam.initialize(null, null, cbh,
69 moduleOptionsByName.get(sam.getClass().getName()));
70 }
71 }
{code}
There is no need to call it in JBossServerAuthConfig.getAuthContext()
{code}
126 if(bai instanceof AuthenticationInfo)
127 {
128 //Need to get a wrapper
129 ServerAuthModule sam = new DelegatingServerAuthModule();
130 Map options = new HashMap();
131 options.put("javax.security.auth.login.LoginContext", secDomain); //Name of sec domain
132 sam.initialize(null, null, this.callbackHandler, options); <== NOT NEEDED
133 modules.add(sam);
134 }
135 else
136 {
137 JASPIAuthenticationInfo jai = (JASPIAuthenticationInfo)bai;
138 AuthModuleEntry[] amearr = jai.getAuthModuleEntry();
139
140 // establish the module classloader if a jboss-module has been specified.
141 ClassLoader moduleCL = null;
142 List<String> jbossModuleNames = jai.getJBossModuleNames();
143 if (!jbossModuleNames.isEmpty())
144 {
145 ClassLoaderLocator locator = ClassLoaderLocatorFactory.get();
146 if (locator != null)
147 moduleCL = locator.get(jbossModuleNames);
148 }
149
150 for(AuthModuleEntry ame: amearr)
151 {
152 if(ame.getLoginModuleStackHolderName() != null)
153 {
154 try
155 {
156 mapOptionsByName.put(ame.getAuthModuleName(), ame.getOptions());
157 controlFlags.add(ame.getControlFlag());
158 ServerAuthModule sam = this.createSAM(moduleCL, ame.getAuthModuleName(),
159 ame.getLoginModuleStackHolderName());
160
161 Map options = new HashMap();
162
163 options.putAll(ame.getOptions());
164 sam.initialize(null, null, callbackHandler, options); <== NOT NEEDED
165 modules.add(sam);
166 }
167 catch (Exception e)
168 {
169 throw new AuthException(e.getLocalizedMessage());
170 }
171 }
172 else
173 {
174 try
175 {
176 mapOptionsByName.put(ame.getAuthModuleName(), ame.getOptions());
177 controlFlags.add(ame.getControlFlag());
178 ServerAuthModule sam = this.createSAM(moduleCL, ame.getAuthModuleName());
179
180 Map options = new HashMap();
181 options.putAll(ame.getOptions());
182 sam.initialize(null, null, callbackHandler, options); <== NOT NEEDED
183 modules.add(sam);
184 }
{code}
> JASPIC module's initialize() is called multiple times
> -----------------------------------------------------
>
> Key: SECURITY-1006
> URL: https://issues.redhat.com/browse/SECURITY-1006
> Project: PicketBox
> Issue Type: Bug
> Components: PicketBox
> Affects Versions: PicketBox_5_0_3.Beta1
> Reporter: Hisanobu Okuda
> Priority: Major
> Attachments: reproducer.tar.gz
>
>
> JASPIC module's initialize() is called multiple times.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list