Uploaded image for project: 'SwitchYard'
  1. SwitchYard
  2. SWITCHYARD-2804

SecurityContext does not clear the credentials of a SOAP-Gateway

    Details

    • Steps to Reproduce:
      Hide

      Attached is the reproducer for this,

      • Create a new application user and use the DefaultSecurityContext of the container, i.e 'others'.

      You will see the below results,

      16:51:43,490 INFO [stdout] (http-/127.0.0.1:8080-1) size of credentials is [ConfidentialityCredential@7200271[confidential=false], PasswordCredential@17682415[password=********], PrincipalCredential@30303978[principal=WSUsernameTokenPrincipal: Viral, trusted=true], NameCredential@29795364[name=Viral], PrincipalCredential@13919100[principal=WSUsernameTokenPrincipal: Viral, trusted=true], PrincipalCredential@10225881[principal=WSUsernameTokenPrincipal: Viral, trusted=true], PrincipalCredential@6835071[principal=WSUsernameTokenPrincipal: Viral, trusted=true], PrincipalCredential@24550356[principal=WSUsernameTokenPrincipal: Viral, trusted=true], PrincipalCredential@11706165[principal=WSUsernameTokenPrincipal: Viral, trusted=true], PrincipalCredential@6877255[principal=WSUsernameTokenPrincipal: Viral, trusted=true], PasswordCredential@24562343[password=*******], PasswordCredential@5188385[password=*****], PrincipalCredential@26781065[principal=WSUsernameTokenPrincipal: Viral, trusted=true], PrincipalCredential@11685805[principal=WSUsernameTokenPrincipal: Viral, trusted=true], PasswordCredential@9236331[password=**], PrincipalCredential@2179177[principal=WSUsernameTokenPrincipal: Viral, trusted=true], PrincipalCredential@18516688[principal=WSUsernameTokenPrincipal: Viral, trusted=true], PasswordCredential@26177457[password=*******], PrincipalCredential@15669606[principal=WSUsernameTokenPrincipal: Viral, trusted=true], PrincipalCredential@8012888[principal=WSUsernameTokenPrincipal: Viral, trusted=true], PrincipalCredential@18916622[principal=WSUsernameTokenPrincipal: Viral, trusted=true]]

      SecurityContext is a InheritableThreadLocal, so the object is reused for each call with the same thread (http thread).

      There should be a filter that can check if the credential exists, or are new credentials,
      in the InboundHandler code,

      private static final ThreadLocal<Set<Credential>> CREDENTIALS = new ThreadLocal<Set<Credential>>();
      // add any thread-local and/or binding-extracted credentials
      SecurityContext securityContext = _securityContextManager.getContext(exchange);
      securityContext.getCredentials().addAll(credentials);
      securityContext.getCredentials().addAll(soapBindingData.extractCredentials());
      _securityContextManager.setContext(exchange, securityContext);

      This can potential also cause memory leaks..

      Show
      Attached is the reproducer for this, Create a new application user and use the DefaultSecurityContext of the container, i.e 'others'. You will see the below results, 16:51:43,490 INFO [stdout] (http-/127.0.0.1:8080-1) size of credentials is [ConfidentialityCredential@7200271 [confidential=false] , PasswordCredential@17682415 [password=********] , PrincipalCredential@30303978 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , NameCredential@29795364 [name=Viral] , PrincipalCredential@13919100 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , PrincipalCredential@10225881 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , PrincipalCredential@6835071 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , PrincipalCredential@24550356 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , PrincipalCredential@11706165 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , PrincipalCredential@6877255 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , PasswordCredential@24562343 [password=*******] , PasswordCredential@5188385 [password=*****] , PrincipalCredential@26781065 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , PrincipalCredential@11685805 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , PasswordCredential@9236331 [password=**] , PrincipalCredential@2179177 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , PrincipalCredential@18516688 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , PasswordCredential@26177457 [password=*******] , PrincipalCredential@15669606 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , PrincipalCredential@8012888 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] , PrincipalCredential@18916622 [principal=WSUsernameTokenPrincipal: Viral, trusted=true] ] SecurityContext is a InheritableThreadLocal, so the object is reused for each call with the same thread (http thread). There should be a filter that can check if the credential exists, or are new credentials, in the InboundHandler code, private static final ThreadLocal<Set<Credential>> CREDENTIALS = new ThreadLocal<Set<Credential>>(); // add any thread-local and/or binding-extracted credentials SecurityContext securityContext = _securityContextManager.getContext(exchange); securityContext.getCredentials().addAll(credentials); securityContext.getCredentials().addAll(soapBindingData.extractCredentials()); _securityContextManager.setContext(exchange, securityContext); This can potential also cause memory leaks..

      Description

      SecurityContext does not clear the credentials of a SOAP-Gateway. Consecutive calls to the gateway add the credentials of each call. If we want to extract the credentials later in the exchange we get wrong(previously added) credentials.

      Cause: SecurityContext is a InheritableThreadLocal, so the object is reused for each call with the same thread (http thread).

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                vrlgohel Viral Gohel
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: