Bugs item #1054942, was opened at 2004-10-26 17:54 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=1054942&group_id=22866
Category: JBossSX Group: v4.0 Status: Open Resolution: None Priority: 5 Submitted By: Stephen Kinser (skinser) Assigned to: Nobody/Anonymous (nobody) Summary: Setting flushOnSessionInvalidation to true doesn't work Initial Comment: Setting flushOnSessionInvalidation to true in the jboss-web.xml file doesn't result in the authentication cache being flushed. This is due to a defect in the invoke method of the SecurityAssociationValve class. This method flushes the authentication cache if the catalina session isn't null is no longer valid (see the source code lines between 178 and 201). The problem occurs because the catalina session variable in the invoke method is always null, unless the httpRequest.getUserPrincipal() returns null or the value returned is not an instance of a JBossGenericPrincipal (see the source code lines between 118 and 127). I've included a code snipet below. If an authentication cache needs to be invalidated, the user principal won't be null and will be a JBossGenericPrincipal, therefore the catalina session variable won't ever be initialized and the authentication cache is never flushed by the SecurityAssociationValve. To assist in reproducing this problem, I've included a webappb.zip. I wrote a web application that has a form that, when submitted, writes a new SimplePrincipal to the Subject obtained off of the request attribute (j_subject). I understand that web applications don't normally modify the subject directly, but this is probably the easiest way to reproduce this problem. To reproduce, freshly install JBoss 4.0.0 and install the tomcat50-service.jar patch, and unzip the webappb.zip file. Start the default JBoss server and open a browser to http://localhost:8080/webappb/index.jsp. Authenticate as admin with a password of test. You'll be taken to the main page, but you'll need to refresh the page to get the Subject populated due to defect 1040200. Specify any name if the field and submit the form to add a principal to the subject. Note that the subject has the principal added to the end of its string representation. Now, log out and log back in. After logging in as the same user and refreshing the page (due to defect 1040200), you'll see the same subject with the principal that was added before. If the flushOnSessionInvalidation had worked, the principal shouldn't be there. Appendix ========================== Source code lines 118 through 127 --------------------------------- if (caller == null || (caller instanceof JBossGenericPrincipal) == false) { // Look to the session for the active caller security context HttpSession hsession = httpRequest.getSession(false); Manager manager = container.getManager(); if (manager != null && hsession != null) { try { session = manager.findSession(hsession.getId()); } catch (IOException ignore) { } } Source code lines 178 through 201 --------------------------------- if( secMgrService != null && session != null && session.isValid() == false && metaData.isFlushOnSessionInvalidation() == true ) { Principal user = httpRequest.getUserPrincipal(); if( user != null ) { String securityDomain = metaData.getSecurityDomain(); if (trace) { log.trace("Session is invalid, security domain: "+securityDomain +", user="+user); } try { secMgrService.flushAuthenticationCache(securityDomain, user); } catch(Exception e) { log.debug("Failed to flush auth cache", e); } } } ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=1054942&group_id=22866 ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ JBoss-Development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
