Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-5467

SecurityContext Leak From Servlet Initialisation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • TBD EAP 5
    • None
    • Web
    • None
    • Workaround Exists
    • Hide

      The solution is to use the already provided setting: "org.jboss.security.context.ThreadLocal"
      which makes sure ThreadLocal's are used instead of InhertableThreadLocal

      Show
      The solution is to use the already provided setting: "org.jboss.security.context.ThreadLocal" which makes sure ThreadLocal's are used instead of InhertableThreadLocal
    • Not Required

      During the deployment of web applications the RunAsListener establishes a security context before the init method is invoked on servlets being deployed.

      This Listener also establishes the SecurityContext before a servlet is called or destroyed.

      When this deployment happens during the application server start up this association is on the 'main' thread, as this is using an InhertableThreadLocal it is possible in certain conditions to become shared by other child threads.

      This Jira issue is to ensure it is cleared after deployment.

              tfonteyn Tom Fonteyne (Inactive)
              darran.lofthouse@redhat.com Darran Lofthouse
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: