1157472 – [GSS] (6.3.z) EJB3 Web Service returns Invalid User on parallel invocations

Bug 1157472 - [GSS] (6.3.z) EJB3 Web Service returns Invalid User on parallel invocations

Summary: [GSS] (6.3.z) EJB3 Web Service returns Invalid User on parallel invocations

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Web Services
Sub Component:
Version:	6.3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	CR1
Target Release:	EAP 6.3.3
Assignee:	baranowb
QA Contact:	Rostislav Svoboda
Docs Contact:
URL:
Whiteboard:
Depends On:	1157482
Blocks:	eap633-payload 1157539 1173484
TreeView+	depends on / blocked

Reported:	2014-10-27 10:14 UTC by Mustafa Musaji
Modified:	2019-08-19 12:42 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1157482 (view as bug list)
Environment:
Last Closed:	2019-08-19 12:42:56 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	JBWS-3843	0	Critical	Closed	Username Token Digest Authentication failure with EJB3 endpoints	2018-11-06 11:53:32 UTC

Description Mustafa Musaji 2014-10-27 10:14:24 UTC

Description of problem:

EJB3 Web Service using username token for authentication fails when you load test it with parallel invocations. See attached reproducer.

See upstream JIRA https://issues.jboss.org/browse/JBWS-3843

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 JBoss JIRA Server 2014-10-30 16:13:24 UTC

Alessio Soldano <asoldano> updated the status of jira JBWS-3843 to Resolved

Comment 7 Rostislav Svoboda 2014-12-16 12:54:49 UTC

Nacking because this fix need upgraded PicketBox with 2 fixes tracked in BZ 1173493 and BZ 1173492. Both these BZs are DEV NACKED.
For this reason I must nack this BZ.

Comment 8 Rostislav Svoboda 2014-12-18 11:22:02 UTC

Acking - based on https://bugzilla.redhat.com/show_bug.cgi?id=1157479#c18
Jim Ma has workaround in WS codebase to be safe even without PicketBox upgrade.

Comment 13 Dominik Pospisil 2015-01-07 14:53:00 UTC

Both

https://issues.jboss.org/browse/SECURITY-868 https://issues.jboss.org/browse/SECURITY-866

are fixed in Picketbox 4.0.19.SP9.

Comment 14 Rostislav Svoboda 2015-01-19 13:03:03 UTC

Verified on EAP 6.3.3 ER1.

Endpoint tested with 130 threads.

Comment 15 JBoss JIRA Server 2015-04-25 20:26:48 UTC

Alessio Soldano <asoldano> updated the status of jira JBWS-3843 to Closed

Note You need to log in before you can comment on or make changes to this bug.