Loading...

XML

Word

Printable

Type: Bug
Resolution: Obsolete
Priority: Major
Fix Version/s: No Release
Affects Version/s: JBossAS-4.0.4.GA
Component/s: Security
Labels:
None
Environment:

Hide

Linux. I have two linux servers with JBoss installed running in clustered mode and two servers with Tomcat 5.23 running in load-balancing mode(not clustered).
I have replicated the problem on windows with a jboss and tomcat running independently.

Show
Linux. I have two linux servers with JBoss installed running in clustered mode and two servers with Tomcat 5.23 running in load-balancing mode(not clustered). I have replicated the problem on windows with a jboss and tomcat running independently.

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The problem occurs when I the LoginContext is initialized and logged in, and I try to call the server. At this point the call fails(wrong credentials) and I do not logout the context. After this any call coming to the tomcat server from any browser running on other machines gives a security exception in JBoss. In the JBoss log it I can see the JBoss ServerLoginModule saying "Bad Password given for username=a" where 'a' is the user with the invalid credentials from the previous call.

In case the LoginContext is logged out in case of an exception everything works out fine. However, since what I described above means that the web-server picks up a LoginContext belonging to a different session this worries me a lot.

Assignee:: Scott Stark (Inactive)

Reporter:: Christos Nicolaou (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Created:: 2007/12/03 5:47 AM

Updated:: 2011/03/22 2:01 PM

Resolved:: 2011/03/22 2:01 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates