Details

    • Type: Bug
    • Status: Reopened (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: JBossAS-4.2.3.GA
    • Fix Version/s: No Release
    • Component/s: Security
    • Labels:
      None
    • Environment:

      JBOSS AS 4.2.3 on Linux

      Description

      Because of the Anonymous issue as reported in https://jira.jboss.org/browse/JBAS-3945, we did coding something similar as following to workaround the issue. This was suggested by the JBOSS support team.

      ---------------------------------------------------------------------------------------------
      When we are changing the principal (performing another login) we need to call
      these Jboss APIs in our login module:

      SecurityAssociation.popRunAsRole()
      SecurityAssociation.pushRunAsRole()

      This will pop the old run-as role and push the new run as role (which we want
      the second transaction to run as).

      Change the JAAS login module to explicitly set the new principal and
      credentials during login. This was after the callback handler handle method
      was invoked and we had the principal and credentials:

      SecurityAssociation.setPrincipal(new SimplePrincipal(username));
      SecurityAssociation.setCredential(password);
      --------------------------------------------------------------------------------------------------------------------------

      After doing this, we started seeing priniciple is shared amoung the threads. For example, user 1 logs in and see's information about user 2. This happens only after heavy load testing. This is also reproducible after couple of hours of running load test.

      If we remove the above code, then the issue goes away. But anonymous issue appears.

      Any Help is appreciated in helping finding the root cause of the issue.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                anil.saldhana Anil Saldanha
                Reporter:
                rajeshbhabu Rajesh Bhabu
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated: