Uploaded image for project: 'EJB 3.0'
  1. EJB 3.0
  2. EJBTHREE-399

Security bug needs different patch

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Major
    • EJB 3.0 RC4 - PFD
    • None
    • None
    • None

    Description

      You need to implement the security principal/credential leak differently because the fix you provided will not work with older versions of JBoss without patching large parts of it. I think the solution should be done in the aspects security interceptor where, if the principal/credential is in the invocation object, then clear them after the invocation is finished. principal/credentials that live in the invocation means that it was propagated from a remote invocation.

      Attachments

        Issue Links

          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. EJBTHREE-384 Security Problem - Server fails to clear user authentication after standalone client disconnects

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              wdecoste1@redhat.com William Decoste (Inactive)
              patriot1burke@gmail.com Bill Burke (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: