[JBoss-dev] [JBoss JIRA] Created: (JBAS-1320) Security Hole Created by MDB Deployment

Mon, 24 Jan 2005 11:18:09 -0800 

Security Hole Created by MDB Deployment
---------------------------------------

         Key: JBAS-1320
         URL: http://jira.jboss.com/jira/browse/JBAS-1320
     Project: JBoss Application Server
        Type: Bug
  Components: Security  
    Versions: JBossAS-3.2.6 Final    
    Reporter: eugene75
 Assigned to: Scott M Stark 


During the deployment of a message driven bean, the container creates a 
connection to the message queue using the user/pwd provided by the deployment 
descriptor. The authenticated subject created by this operation is bound to the 
current thread (via the security association class) using a ThreadLocal. 

The thread that deploys components existing in the deploy directory at startup 
is the "main" thread. This means that the "main" thread has a security 
association. This security association (meaning the Subject bound to the thread 
by a ThreadLocal) is then copied to every other thread created by JBoss, 
including the the HTTP processor threads, class loader threads, etc. 

The very first time the application is accessed using one of the HTTP processor 
threads, it has the security association create the jms login. Once the 
processor thread has processed one request, the security association is cleared 
and functions normally. 

A partial workaround is to not deploy the MDBs until after JBoss has finished 
starting up. This prevents the jms-connection user security association from 
being inherited by the HTTP processor threads. 


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://jira.jboss.com/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
JBoss-Development mailing list
JBoss-Development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-development

Reply via email to