1219778 – [GSS](6.4.z) Fix for SECURITY-868 breaks flush-cache capability

Bug 1219778 - [GSS](6.4.z) Fix for SECURITY-868 breaks flush-cache capability

Summary: [GSS](6.4.z) Fix for SECURITY-868 breaks flush-cache capability

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	CR1
Target Release:	EAP 6.4.5
Assignee:	Ivo Studensky
QA Contact:	Josef Cacek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1230308 1235745 1255390 1259278 1274071
TreeView+	depends on / blocked

Reported:	2015-05-08 08:38 UTC by Hisanobu Okuda
Modified:	2019-09-12 08:26 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1230308 (view as bug list)
Environment:
Last Closed:	2017-01-17 11:37:26 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
reproducer.tar.gz (5.72 KB, application/x-gzip) 2015-05-12 04:56 UTC, Hisanobu Okuda	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1181084	unspecified	CLOSED	(6.4.0) Multithread issue when validate with cached hased password + nonce credential info from JBossCachedAuthenticatio...	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	SECURITY-868	Major	Reopened	Multithread issue when validate with cached hased password + nonce credential info from JBossCachedAuthenticationManage...	2018-05-15 10:31:31 UTC
Red Hat Issue Tracker	SECURITY-882	Major	Resolved	Fix for SECURITY-868 breaks flush-cache capability	2018-05-15 10:31:31 UTC
Red Hat Issue Tracker	SECURITY-888	Major	Reopened	Revert changes made in SECURITY-868	2018-05-15 10:31:31 UTC

Internal Links: 1181084

Description Hisanobu Okuda 2015-05-08 08:38:20 UTC

Description of problem:
The member field ThreadLocal<CompoundInfo> validatedDomainInfo was introduced for the fix of SECURITY-868. When you are authenticated, a valid security info is stored in the field thread-locally. Then, you flushes the JAAS cache via CLI or API in another thread, org.jboss.security.authentication.JBossCachedAuthenticationManager.flushCache() is invoked, but validatedDomainInfo is not flushed properly, since it is ThreadLocal. As a result, a cached security info is re-used unexpectedly.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Hisanobu Okuda 2015-05-12 04:56:40 UTC

Created attachment 1024453 [details]
reproducer.tar.gz

Comment 2 JBoss JIRA Server 2015-05-21 07:07:51 UTC

Ivo Studensky <istudens> updated the status of jira SECURITY-882 to Resolved

Comment 3 JBoss JIRA Server 2015-05-21 07:09:46 UTC

Ivo Studensky <istudens> updated the status of jira SECURITY-868 to Reopened

Comment 10 Petr Penicka 2017-01-17 11:37:26 UTC

Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.

Note You need to log in before you can comment on or make changes to this bug.