Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-882

Fix for SECURITY-868 breaks flush-cache capability

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Won't Fix
    • PicketBox_4_0_19.Final
    • None
    • AS-Integration
    • None

    Description

      The member field ThreadLocal<CompoundInfo> validatedDomainInfo was introduced for the fix of SECURITY-868. When you are authenticated, a valid security info is stored in the field thread-locally. Then, you flushes the JAAS cache via CLI or API in another thread, org.jboss.security.authentication.JBossCachedAuthenticationManager.flushCache() is invoked, but validatedDomainInfo is not flushed properly, since it is ThreadLocal. As a result, a cached security info is re-used unexpectedly.

      Attachments

        Activity

          People

            sguilhen Stefan Guilhen
            rhn-support-hokuda Hisanobu Okuda
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: