1032188 – Security context associated with EJB asynchronous invocations can potentially be corrupted over time by the caller thread

Bug 1032188 - Security context associated with EJB asynchronous invocations can potentially be corrupted over time by the caller thread

Summary: Security context associated with EJB asynchronous invocations can potentially...

Keywords:
Status:	CLOSED DUPLICATE of bug 1005093
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	EJB, Security
Sub Component:
Version:	6.1.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	David M. Lloyd
QA Contact:	Jan Martiska
Docs Contact:	Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-19 16:59 UTC by wfink
Modified:	2018-12-03 20:44 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-19 17:38:15 UTC
Type:	Bug

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	WFLY-2016	0	Major	Resolved	Security context associated with EJB asynchronous invocations can potentially be corrupted over time by the caller threa...	2014-01-07 23:58:35 UTC

Description wfink 2013-11-19 16:59:26 UTC

When an @Asynchronous EJB call is performed, the security context is propagated to the thread handling the asynchronous call. When authentication is required in the asynchronous call (e.g. @RolesAllowed) this is handled by the JBossCachedAuthenticationManager. Thus there is usually no call to the LoginModule. However, when the JBossCachedAuthenticationManager has given up the corresponding cache entry, there is a call to the LoginModule. The LoginModule however, cannot access the ServletRequest via the PolicyContext and fails.

We've experienced this behavior in two situation:
- The user logs out, while @Asynchronous call is still running.
- The cache maintained by the JBossCachedAuthenticationManager exceeds it's limits and cached entries are removed.

The expected behaviour is that the original security context (attributes) are copied over to the async invocation and updates to that security context later on in a separate thread shouldn't affect the ongoing async EJB invocation.

Comment 1 wfink 2013-11-19 17:38:15 UTC


*** This bug has been marked as a duplicate of bug 1005093 ***

Note You need to log in before you can comment on or make changes to this bug.