Re: [JBoss-user] JBossRealm Security Bug
Agreed. I'll update it. - Original Message - From: "Shotton Mark MMUk" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 15, 2001 6:12 AM Subject: [JBoss-user] JBossRealm Security Bug > Hello there > > There is an omission in the version of org.jboss.tomcat.security.JbossRealm > that I checked out of CVS from the contrib/tomcat area. The principal and > credentials propogated from Tomcat are stored in ThreadLocal objects in > org.jboss.security.SecurityAssociation. However these ThreadLocal variables > are never reset to null. So the threads are returned to the pool and can be > used again with the principal and credentials still set (not very secure!). > > The JbossRealm should implement a method to reset the principal and > credentials to null. I have done this as below: > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] JBossRealm Security Bug
Is this fix going to be in the next release of JBoss? (I don't need to
worry about this yet as our project is far from deployment, but eventually
it will become an issue.)
Eric
-Original Message-
From: Shotton Mark MMUk [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 15, 2001 9:13 AM
To: '[EMAIL PROTECTED]'
Subject: [JBoss-user] JBossRealm Security Bug
Hello there
There is an omission in the version of org.jboss.tomcat.security.JbossRealm
that I checked out of CVS from the contrib/tomcat area. The principal and
credentials propogated from Tomcat are stored in ThreadLocal objects in
org.jboss.security.SecurityAssociation. However these ThreadLocal variables
are never reset to null. So the threads are returned to the pool and can be
used again with the principal and credentials still set (not very secure!).
The JbossRealm should implement a method to reset the principal and
credentials to null. I have done this as below:
package org.jboss.tomcat.security;
import java.security.Principal;
import java.util.Hashtable;
import org.apache.tomcat.core.Request;
import org.apache.tomcat.core.Response;
import org.apache.tomcat.util.SecurityTools;
import org.apache.tomcat.core.BaseInterceptor;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SimplePrincipal;
/**
* This maps Tomcat credintials to jBoss credintials. It can probably be
placed after
* many other Tomcat realms to map that realm into jBoss.
* @author mailto:[EMAIL PROTECTED]";>Kevin Lewis
* @version $Revision: 1.3 $
*
* changed imports to reflect new org.jboss.security structure
* @author mailto:[EMAIL PROTECTED]";>Dewayne McNair
* @version $Revision: 1.3 $
*
*/
public class JbossRealm extends BaseInterceptor {
public int authenticate( Request req, Response response ){
Hashtable cred=new Hashtable();
SecurityTools.credentials( req, cred );
String user=(String)cred.get("username");
SecurityAssociation.setPrincipal( new SimplePrincipal( user
) );
String pw=(String)cred.get("password");
if (null != pw)
SecurityAssociation.setCredential( pw.toCharArray() );
return 0;
}
public int afterBody( Request req, Response response ){
SecurityAssociation.setPrincipal(null);
SecurityAssociation.setCredential(null);
return 0;
}
}
Mark
Dr M.W. Shotton
MICROMASS UK LIMITED
Floats Road
Wythenshawe
Manchester M23 9LZ
UK
+44 (0) 161 718 4548
___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] JBossRealm Security Bug
Hello there
There is an omission in the version of org.jboss.tomcat.security.JbossRealm
that I checked out of CVS from the contrib/tomcat area. The principal and
credentials propogated from Tomcat are stored in ThreadLocal objects in
org.jboss.security.SecurityAssociation. However these ThreadLocal variables
are never reset to null. So the threads are returned to the pool and can be
used again with the principal and credentials still set (not very secure!).
The JbossRealm should implement a method to reset the principal and
credentials to null. I have done this as below:
package org.jboss.tomcat.security;
import java.security.Principal;
import java.util.Hashtable;
import org.apache.tomcat.core.Request;
import org.apache.tomcat.core.Response;
import org.apache.tomcat.util.SecurityTools;
import org.apache.tomcat.core.BaseInterceptor;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SimplePrincipal;
/**
* This maps Tomcat credintials to jBoss credintials. It can probably be
placed after
* many other Tomcat realms to map that realm into jBoss.
* @author mailto:[EMAIL PROTECTED]";>Kevin Lewis
* @version $Revision: 1.3 $
*
* changed imports to reflect new org.jboss.security structure
* @author mailto:[EMAIL PROTECTED]";>Dewayne McNair
* @version $Revision: 1.3 $
*
*/
public class JbossRealm extends BaseInterceptor {
public int authenticate( Request req, Response response ){
Hashtable cred=new Hashtable();
SecurityTools.credentials( req, cred );
String user=(String)cred.get("username");
SecurityAssociation.setPrincipal( new SimplePrincipal( user
) );
String pw=(String)cred.get("password");
if (null != pw)
SecurityAssociation.setCredential( pw.toCharArray() );
return 0;
}
public int afterBody( Request req, Response response ){
SecurityAssociation.setPrincipal(null);
SecurityAssociation.setCredential(null);
return 0;
}
}
Mark
Dr M.W. Shotton
MICROMASS UK LIMITED
Floats Road
Wythenshawe
Manchester M23 9LZ
UK
+44 (0) 161 718 4548
___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
