1005093 – Security context associated with EJB asynchronous invocations can potentially be corrupted over time by the caller thread

Bug 1005093 - Security context associated with EJB asynchronous invocations can potentially be corrupted over time by the caller thread

Summary: Security context associated with EJB asynchronous invocations can potentially...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	EJB, Security
Sub Component:
Version:	6.0.1,6.1.0,6.1.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ER1
Target Release:	EAP 6.2.0
Assignee:	David M. Lloyd
QA Contact:	Jan Martiska
Docs Contact:	Russell Dickenson
URL:
Whiteboard:
Duplicates (1):	1032188 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-06 08:22 UTC by Jaikiran Pai
Modified:	2014-05-27 01:28 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	An EJB that is called asynchronously from a servlet can potentially lose its security context if the servlet invocation completes first. This occurred when security context of the servlet was cleared because both the servlet and the EJB threads share the same SecurityContext instance. Now the SecurityContext attributes are copied from the instance on the servlet thread to a new instance of the SecurityContext object on the EJB thread. Updates to SecurityContext instances on one thread no longer affect instances on other threads as expected.
Clone Of:
Environment:
Last Closed:	2013-12-15 16:21:03 UTC
Type:	Bug

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jaikiran Pai 2013-09-06 08:22:15 UTC

Consider a servlet "S" which invokes on a asynchronous EJB "A". Let's assume "S" runs with a "foo" run-as role. Now when S invokes on "A", the run-as "foo" role is correctly propagated to the asynchronous EJB invocation. However, when the "S" invocation completes and potentially clears the security context (of any run-as role), the invocation(s) within the asynchronous EJB "A" too lose the corresponding security context role association. This is because the 2 threads (the servlet invocation one and the async EJB invocation one) literally share the same object instance of the SecurityContext.

The expected behaviour is that the original security context (attributes) are copied over to the async invocation and updates to that security context later on in a separate thread shouldn't affect the ongoing async EJB invocation.

Comment 3 Jan Martiska 2013-09-19 12:01:33 UTC

Verified in EAP 6.2.0.ER1.

Comment 9 Dimitris Andreadis 2013-10-24 18:27:01 UTC

Assigning jpai EJB issues to david.lloyd. Please re-assign to Cheng or others as needed.

Comment 10 wfink 2013-11-19 17:38:15 UTC

*** Bug 1032188 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.