-
Bug
-
Resolution: Done
-
Critical
-
JBossAS-4.0.4RC1
-
None
I found a problem with how the ClientLoginModule handles the SecurityAssociation stack. The problem appears under the following conditions:
1. restoreloginidentity = true
2. method calls are made through session bean interfaces. (this causes the stack to be pushed and later popped).
3. there are multiple logins before a logout.
Summary:
Basically what happens is I login a user, call a session bean, login a second user, logout the second user, exit the session bean and expect to revert to original user. The original user should still be logged in but it isn't. The problem is this: the ClientLoginModule.logout() method always clears the SecurityAssociation stack and then restores the login identity by logging in again. This leaves stack out of sync and when the session bean call exits, the stack is popped again and the user removed when it really should still be there.
Here is a sequence of what happens with the stack during my scenario:
1. Starting point. (Stack.size = 0)
2. Login 1st user.User is set to SecurityAssociation and pushed to stack. (Stack.size = 1)
3. Make call to session bean. User is pushed to stack again by AuthenticationInterceptor. (Stack.size = 2)
4. Login 2nd user. User is set to SecurityAssociation and pushed to stack. (Stack.size = 3)
5. Logout 2nd user. Stack is cleared. (Stack.size = 0) (THIS IS THE PROBLEM)
6. 1st user is reset to SecurityAssociation and pushed to stack by the ClientLoginModule. (Stack.size = 1)
7. exit call to session bean. 1st User is popped from stack by AuthenticationInterceptor. (Stack.size = 0)
8. No user is logged in.
What should be happening is in Step 5, the stack should be popped not cleared. The end result in Step 8 should be one user in the stack. The only way I should end up with an empty stack is if I call logout again, which I didn't.
Here is the fix I put into the ClientLoginModule:
public boolean abort() throws LoginException {
/* Changed here. Only clear if not restoring identity. */
if (restoreLoginIdentity)
else { SecurityAssociation.clear(); }
return true;
}
public boolean logout() throws LoginException {
/* Changed here. Only clear if not restoring identity. */
if (restoreLoginIdentity) { SecurityAssociation.popSubjectContext(); }
else
{ SecurityAssociation.clear(); } Set principals = subject.getPrincipals();
principals.remove(loginPrincipal);
return true;
}
- is related to
-
SECURITY-339 ClientLoginModule improperly handles SecurityAssociation stack in abort()
- Resolved