[jboss-user] [Security JAAS/JBoss] - Re: Concurrency bug in JaasSecurityManager
Version details please. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3992418#3992418 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3992418 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Concurrency bug in JaasSecurityManager
Also note that there is no reliance on shared subjects in the server post 4.0.3SP1 so the details of where you believe a shared subject is in use are needed. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3992439#3992439 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3992439 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Concurrency bug in JaasSecurityManager
[EMAIL PROTECTED] wrote : Also note that there is no reliance on shared subjects in the server post 4.0.3SP1 so the details of where you believe a shared subject is in use are needed. | Strange, I'm using jboss-4.0.5.GA (build from source package). It definitely relies on shared subjects. The version tag from JaasSecurityManager.java: anonymous wrote : | @version $Revision: 57203 $ | BTW, there's also another small bug in JaasSecurityManager.java - no check for null 'domainCache' in getPrincipal() method. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3992473#3992473 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3992473 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Concurrency bug in JaasSecurityManager
And the usage that results in the shared subject is? When a jboss security aspect authenticates against the security manager, it obtains a copy of the subject and uses that for subsequent authorization checks. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3992477#3992477 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3992477 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Concurrency bug in JaasSecurityManager
It doesn't perform deep copy of Subjects, so the copied subject shares its role collection with the original subject. Deep copy is controlled by the flag which is never set to 'true': | /** The flag to indicate that the Subject sets need to be deep copied*/ |private boolean deepCopySubjectOption = false; | View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3992479#3992479 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3992479 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Concurrency bug in JaasSecurityManager
You need to set the DeepCopySubjectMode to true on the org.jboss.security.plugins.JaasSecurityManagerService in conf/jboss-service.xml. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3992482#3992482 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3992482 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security JAAS/JBoss] - Re: Concurrency bug in JaasSecurityManager
Yes, that solves the problem. I was worried that this setting can break something subtle (because it is undocumented). So I choose to ask here. View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3992491#3992491 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3992491 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user