Uploaded image for project: 'Application Server 3 4 5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-2820

ClientLoginModule improperly clears SecurityAssociation stack in logout()

    XMLWordPrintable

Details

    Description

      I found a problem with how the ClientLoginModule handles the SecurityAssociation stack. The problem appears under the following conditions:

      1. restoreloginidentity = true
      2. method calls are made through session bean interfaces. (this causes the stack to be pushed and later popped).
      3. there are multiple logins before a logout.

      Summary:

      Basically what happens is I login a user, call a session bean, login a second user, logout the second user, exit the session bean and expect to revert to original user. The original user should still be logged in but it isn't. The problem is this: the ClientLoginModule.logout() method always clears the SecurityAssociation stack and then restores the login identity by logging in again. This leaves stack out of sync and when the session bean call exits, the stack is popped again and the user removed when it really should still be there.

      Here is a sequence of what happens with the stack during my scenario:

      1. Starting point. (Stack.size = 0)
      2. Login 1st user.User is set to SecurityAssociation and pushed to stack. (Stack.size = 1)
      3. Make call to session bean. User is pushed to stack again by AuthenticationInterceptor. (Stack.size = 2)
      4. Login 2nd user. User is set to SecurityAssociation and pushed to stack. (Stack.size = 3)
      5. Logout 2nd user. Stack is cleared. (Stack.size = 0) (THIS IS THE PROBLEM)
      6. 1st user is reset to SecurityAssociation and pushed to stack by the ClientLoginModule. (Stack.size = 1)
      7. exit call to session bean. 1st User is popped from stack by AuthenticationInterceptor. (Stack.size = 0)
      8. No user is logged in.

      What should be happening is in Step 5, the stack should be popped not cleared. The end result in Step 8 should be one user in the stack. The only way I should end up with an empty stack is if I call logout again, which I didn't.

      Here is the fix I put into the ClientLoginModule:

      public boolean abort() throws LoginException {
      /* Changed here. Only clear if not restoring identity. */
      if (restoreLoginIdentity)

      { SecurityAssociation.popSubjectContext(); }
      else { SecurityAssociation.clear(); }

      return true;
      }

      public boolean logout() throws LoginException {
      /* Changed here. Only clear if not restoring identity. */
      if (restoreLoginIdentity) { SecurityAssociation.popSubjectContext(); }

      else

      { SecurityAssociation.clear(); }

      Set principals = subject.getPrincipals();
      principals.remove(loginPrincipal);

      return true;
      }

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. SECURITY-339 ClientLoginModule improperly handles SecurityAssociation stack in abort()

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              starksm64 Scott Stark (Inactive)
              jwynett Luigi Putanesca (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: