Bug 1219778

Summary: [GSS](6.4.z) Fix for SECURITY-868 breaks flush-cache capability
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Hisanobu Okuda <hokuda>
Component: SecurityAssignee: Ivo Studensky <istudens>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: anmiller, bbaranow, bdawidow, bmaxwell, cdewolf, christian.reiter, darran.lofthouse, dehort, dhorton, istudens, jtymel, pskopek, rsvoboda
Target Milestone: CR1   
Target Release: EAP 6.4.5   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1230308 (view as bug list) Environment:
Last Closed: 2017-01-17 11:37:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1230308, 1235745, 1255390, 1259278, 1274071    
Attachments:
Description Flags
reproducer.tar.gz none

Description Hisanobu Okuda 2015-05-08 08:38:20 UTC 
Description of problem:
The member field ThreadLocal<CompoundInfo> validatedDomainInfo was introduced for the fix of SECURITY-868. When you are authenticated, a valid security info is stored in the field thread-locally. Then, you flushes the JAAS cache via CLI or API in another thread, org.jboss.security.authentication.JBossCachedAuthenticationManager.flushCache() is invoked, but validatedDomainInfo is not flushed properly, since it is ThreadLocal. As a result, a cached security info is re-used unexpectedly.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Hisanobu Okuda 2015-05-12 04:56:40 UTC 
Created attachment 1024453 [details]
reproducer.tar.gz
Comment 2 JBoss JIRA Server 2015-05-21 07:07:51 UTC 
Ivo Studensky <istudens> updated the status of jira SECURITY-882 to Resolved
Comment 3 JBoss JIRA Server 2015-05-21 07:09:46 UTC 
Ivo Studensky <istudens> updated the status of jira SECURITY-868 to Reopened
Comment 10 Petr Penicka 2017-01-17 11:37:26 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.