RE: [JBoss-user] JBossRealm Security Bug

Tue, 15 May 2001 06:49:01 -0700 

Is this fix going to be in the next release of JBoss?   (I don't need to
worry about this yet as our project is far from deployment, but eventually
it will become an issue.)

Eric

-----Original Message-----
From: Shotton Mark MMUk [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 15, 2001 9:13 AM
To: '[EMAIL PROTECTED]'
Subject: [JBoss-user] JBossRealm Security Bug


Hello there

There is an omission in the version of org.jboss.tomcat.security.JbossRealm
that I checked out of CVS from the contrib/tomcat area. The principal and
credentials propogated from Tomcat are stored in ThreadLocal objects in
org.jboss.security.SecurityAssociation. However these ThreadLocal variables
are never reset to null. So the threads are returned to the pool and can be
used again with the principal and credentials still set (not very secure!).

The JbossRealm should implement a method to reset the principal and
credentials to null. I have done this as below:

package org.jboss.tomcat.security;

import java.security.Principal;
import java.util.Hashtable;

import org.apache.tomcat.core.Request;
import org.apache.tomcat.core.Response;

import org.apache.tomcat.util.SecurityTools;
import org.apache.tomcat.core.BaseInterceptor;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SimplePrincipal;

/**
 * This maps Tomcat credintials to jBoss credintials.  It can probably be
placed after
 * many other Tomcat realms to map that realm into jBoss.
 * @author <a href="mailto:[EMAIL PROTECTED]";>Kevin Lewis</a>
 * @version $Revision: 1.3 $
 *
 * changed imports to reflect new org.jboss.security structure
 * @author <a href="mailto:[EMAIL PROTECTED]";>Dewayne McNair</a>
 * @version $Revision: 1.3 $
 *
 */
public class JbossRealm  extends  BaseInterceptor {

        public int authenticate( Request req, Response response ){
                Hashtable cred=new Hashtable();
                SecurityTools.credentials( req, cred );
                String user=(String)cred.get("username");
                SecurityAssociation.setPrincipal( new SimplePrincipal( user
) );
                String pw=(String)cred.get("password");
                if (null != pw)
                    SecurityAssociation.setCredential( pw.toCharArray() );
                return 0;
        }
        
        public int afterBody( Request req, Response response ){
            SecurityAssociation.setPrincipal(null);
            SecurityAssociation.setCredential(null);
            return 0;
        }
            
}

Mark


Dr M.W. Shotton
MICROMASS UK LIMITED
Floats Road
Wythenshawe
Manchester M23 9LZ
UK

+44 (0) 161 718 4548



_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user


_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to