Details
-
Bug
-
Resolution: Obsolete
-
Major
-
JBossAS-4.0.4.GA
-
None
Description
The problem occurs when I the LoginContext is initialized and logged in, and I try to call the server. At this point the call fails(wrong credentials) and I do not logout the context. After this any call coming to the tomcat server from any browser running on other machines gives a security exception in JBoss. In the JBoss log it I can see the JBoss ServerLoginModule saying "Bad Password given for username=a" where 'a' is the user with the invalid credentials from the previous call.
In case the LoginContext is logged out in case of an exception everything works out fine. However, since what I described above means that the web-server picks up a LoginContext belonging to a different session this worries me a lot.