Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Won't Do
Priority: Major
Fix Version/s: None
Affects Version/s: PicketBox_4_0_19.Final
Component/s: AS-Integration
Labels:
None

Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1219778, https://bugzilla.redhat.com/show_bug.cgi?id=1230308, https://bugzilla.redhat.com/show_bug.cgi?id=1274071

Description

The member field ThreadLocal<CompoundInfo> validatedDomainInfo was introduced for the fix of ~~SECURITY-868~~. When you are authenticated, a valid security info is stored in the field thread-locally. Then, you flushes the JAAS cache via CLI or API in another thread, org.jboss.security.authentication.JBossCachedAuthenticationManager.flushCache() is invoked, but validatedDomainInfo is not flushed properly, since it is ThreadLocal. As a result, a cached security info is re-used unexpectedly.

Attachments

Activity

People

Assignee:: Stefan Guilhen

Reporter:: Hisanobu Okuda

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2015/05/08 4:35 AM

Updated:: 2017/01/17 8:54 AM

Resolved:: 2015/05/21 3:07 AM