Description of problem: When running BPMS/BRMS with the Java Security Manager enabled, the following ERROR is thrown upon logging out of business-central: ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/business-central].[jsp]] (http-localhost/127.0.0.1:8080-6) JBWEB000236: Servlet.service() for servlet jsp threw exception: java.lang.SecurityException: attempting to add an object which is not an instance of java.security.Principal to a Subject's Principal Set at javax.security.auth.Subject$SecureSet.add(Subject.java:1086) [rt.jar:1.7.0_45] at java.util.Collections$SynchronizedCollection.add(Collections.java:1636) [rt.jar:1.7.0_45] at org.apache.catalina.connector.Request.setUserPrincipal(Request.java:2059) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.authenticator.AuthenticatorBase.unregister(AuthenticatorBase.java:730) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.authenticator.AuthenticatorBase.logout(AuthenticatorBase.java:356) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.connector.Request.logout(Request.java:3265) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.connector.RequestFacade.logout(RequestFacade.java:1019) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.jsp.logout_jsp._jspService(logout_jsp.java:68) Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Install BPMS/BRMS 6.1.0 with the installer, enable the Security Manager 2. Start the server, log into business-central 3. Log out of business-central Actual results: ERROR when logging out Expected results: No errors upon logging out Additional info: Further debugging shows that there are redundant calls to request.logout() - one that is defined in business-central/logout.jsp, and another one in uberfire code: https://github.com/uberfire/uberfire-extensions/blob/0.5.3.Final/uberfire-security/uberfire-servlet-security/src/main/java/org/uberfire/ext/security/server/ServletSecurityAuthenticationService.java#L82 This can be traced with byteman. Before logging out, attach byteman with the following script: # ======================================================================= RULE Request.setUserPrincipal CLASS ^org.apache.catalina.connector.Request METHOD setUserPrincipal(Principal) AT ENTRY BIND cl:Object = $0 IF TRUE DO System.out.println("[BYTEMAN==>] " + cl.getClass().getName() + " ==> " + Thread.currentThread().getName() + " setUserPrincipal(" + $1 + ") called "); traceStack(); ENDRULE # ======================================================================= This will show the 2 logout calls: 1. From uberfire: 14:28:14,870 INFO [stdout] (http-localhost/127.0.0.1:8080-4) [BYTEMAN==>] org.apache.catalina.connector.Request ==> http-localhost/127.0.0.1:8080-4 setUserPrincipal(null) called 14:28:14,874 INFO [stdout] (http-localhost/127.0.0.1:8080-4) Stack trace for thread http-localhost/127.0.0.1:8080-4 14:28:14,875 INFO [stdout] (http-localhost/127.0.0.1:8080-4) org.apache.catalina.connector.Request.setUserPrincipal(Request.java:-1) 14:28:14,875 INFO [stdout] (http-localhost/127.0.0.1:8080-4) org.apache.catalina.authenticator.AuthenticatorBase.unregister(AuthenticatorBase.java:730) 14:28:14,875 INFO [stdout] (http-localhost/127.0.0.1:8080-4) org.apache.catalina.authenticator.AuthenticatorBase.logout(AuthenticatorBase.java:356) 14:28:14,876 INFO [stdout] (http-localhost/127.0.0.1:8080-4) org.apache.catalina.connector.Request.logout(Request.java:3265) 14:28:14,876 INFO [stdout] (http-localhost/127.0.0.1:8080-4) org.apache.catalina.connector.RequestFacade.logout(RequestFacade.java:1019) 14:28:14,877 INFO [stdout] (http-localhost/127.0.0.1:8080-4) org.uberfire.ext.security.server.ServletSecurityAuthenticationService.logout(ServletSecurityAuthenticationService.java:82) 2. From logout.jsp: 14:28:16,270 INFO [stdout] (http-localhost/127.0.0.1:8080-6) [BYTEMAN==>] org.apache.catalina.connector.Request ==> http-localhost/127.0.0.1:8080-6 setUserPrincipal(null) called 14:28:16,274 INFO [stdout] (http-localhost/127.0.0.1:8080-6) Stack trace for thread http-localhost/127.0.0.1:8080-6 14:28:16,275 INFO [stdout] (http-localhost/127.0.0.1:8080-6) org.apache.catalina.connector.Request.setUserPrincipal(Request.java:-1) 14:28:16,276 INFO [stdout] (http-localhost/127.0.0.1:8080-6) org.apache.catalina.authenticator.AuthenticatorBase.unregister(AuthenticatorBase.java:730) 14:28:16,276 INFO [stdout] (http-localhost/127.0.0.1:8080-6) org.apache.catalina.authenticator.AuthenticatorBase.logout(AuthenticatorBase.java:356) 14:28:16,277 INFO [stdout] (http-localhost/127.0.0.1:8080-6) org.apache.catalina.connector.Request.logout(Request.java:3265) 14:28:16,277 INFO [stdout] (http-localhost/127.0.0.1:8080-6) org.apache.catalina.connector.RequestFacade.logout(RequestFacade.java:1019) 14:28:16,277 INFO [stdout] (http-localhost/127.0.0.1:8080-6) org.apache.jsp.logout_jsp._jspService(logout_jsp.java:68) Without the security manager enabled, the Request.setUserPrincipal invocation is (almost) a no-op, therefore the issue only shows up with JSM enabled.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days