Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-339

ClientLoginModule improperly handles SecurityAssociation stack in abort()

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • JBossSecurity_2.0.4
    • None
    • JBossSX
    • None

      The abort() method calls SecurityAssociationActions.popPrincipalInfo() even though the corresponding push happens in commit() [via SecurityAssociationActions.setPrincipalInfo(loginPrincipal, loginCredential, subject)]. That means, whenever a login fails, the commit is not called (thus nothing pushed), but the abort pops out an element from the stack. This should not be done. IMHO the abort() method should look like this:

      public boolean abort() throws LoginException
      {
      if( trace )
      log.trace("abort");
      if( restoreLoginIdentity == false )

      { // Clear the entire security association stack SecurityAssociationActions.clear(); }

      return true;
      }

            anil.saldhana Anil Saldanha (Inactive)
            nlmarco Marco Nguitragool (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: