Re: [JBoss-user] JBossRealm Security Bug
Agreed. I'll update it. - Original Message - From: "Shotton Mark MMUk" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 15, 2001 6:12 AM Subject: [JBoss-user] JBossRealm Security Bug > Hello there > > There is an omission in the version of org.jboss.tomcat.security.JbossRealm > that I checked out of CVS from the contrib/tomcat area. The principal and > credentials propogated from Tomcat are stored in ThreadLocal objects in > org.jboss.security.SecurityAssociation. However these ThreadLocal variables > are never reset to null. So the threads are returned to the pool and can be > used again with the principal and credentials still set (not very secure!). > > The JbossRealm should implement a method to reset the principal and > credentials to null. I have done this as below: > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] JBossRealm Security Bug
Is this fix going to be in the next release of JBoss? (I don't need to worry about this yet as our project is far from deployment, but eventually it will become an issue.) Eric -Original Message- From: Shotton Mark MMUk [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 15, 2001 9:13 AM To: '[EMAIL PROTECTED]' Subject: [JBoss-user] JBossRealm Security Bug Hello there There is an omission in the version of org.jboss.tomcat.security.JbossRealm that I checked out of CVS from the contrib/tomcat area. The principal and credentials propogated from Tomcat are stored in ThreadLocal objects in org.jboss.security.SecurityAssociation. However these ThreadLocal variables are never reset to null. So the threads are returned to the pool and can be used again with the principal and credentials still set (not very secure!). The JbossRealm should implement a method to reset the principal and credentials to null. I have done this as below: package org.jboss.tomcat.security; import java.security.Principal; import java.util.Hashtable; import org.apache.tomcat.core.Request; import org.apache.tomcat.core.Response; import org.apache.tomcat.util.SecurityTools; import org.apache.tomcat.core.BaseInterceptor; import org.jboss.security.SecurityAssociation; import org.jboss.security.SimplePrincipal; /** * This maps Tomcat credintials to jBoss credintials. It can probably be placed after * many other Tomcat realms to map that realm into jBoss. * @author mailto:[EMAIL PROTECTED]";>Kevin Lewis * @version $Revision: 1.3 $ * * changed imports to reflect new org.jboss.security structure * @author mailto:[EMAIL PROTECTED]";>Dewayne McNair * @version $Revision: 1.3 $ * */ public class JbossRealm extends BaseInterceptor { public int authenticate( Request req, Response response ){ Hashtable cred=new Hashtable(); SecurityTools.credentials( req, cred ); String user=(String)cred.get("username"); SecurityAssociation.setPrincipal( new SimplePrincipal( user ) ); String pw=(String)cred.get("password"); if (null != pw) SecurityAssociation.setCredential( pw.toCharArray() ); return 0; } public int afterBody( Request req, Response response ){ SecurityAssociation.setPrincipal(null); SecurityAssociation.setCredential(null); return 0; } } Mark Dr M.W. Shotton MICROMASS UK LIMITED Floats Road Wythenshawe Manchester M23 9LZ UK +44 (0) 161 718 4548 ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] JBossRealm Security Bug
Hello there There is an omission in the version of org.jboss.tomcat.security.JbossRealm that I checked out of CVS from the contrib/tomcat area. The principal and credentials propogated from Tomcat are stored in ThreadLocal objects in org.jboss.security.SecurityAssociation. However these ThreadLocal variables are never reset to null. So the threads are returned to the pool and can be used again with the principal and credentials still set (not very secure!). The JbossRealm should implement a method to reset the principal and credentials to null. I have done this as below: package org.jboss.tomcat.security; import java.security.Principal; import java.util.Hashtable; import org.apache.tomcat.core.Request; import org.apache.tomcat.core.Response; import org.apache.tomcat.util.SecurityTools; import org.apache.tomcat.core.BaseInterceptor; import org.jboss.security.SecurityAssociation; import org.jboss.security.SimplePrincipal; /** * This maps Tomcat credintials to jBoss credintials. It can probably be placed after * many other Tomcat realms to map that realm into jBoss. * @author mailto:[EMAIL PROTECTED]";>Kevin Lewis * @version $Revision: 1.3 $ * * changed imports to reflect new org.jboss.security structure * @author mailto:[EMAIL PROTECTED]";>Dewayne McNair * @version $Revision: 1.3 $ * */ public class JbossRealm extends BaseInterceptor { public int authenticate( Request req, Response response ){ Hashtable cred=new Hashtable(); SecurityTools.credentials( req, cred ); String user=(String)cred.get("username"); SecurityAssociation.setPrincipal( new SimplePrincipal( user ) ); String pw=(String)cred.get("password"); if (null != pw) SecurityAssociation.setCredential( pw.toCharArray() ); return 0; } public int afterBody( Request req, Response response ){ SecurityAssociation.setPrincipal(null); SecurityAssociation.setCredential(null); return 0; } } Mark Dr M.W. Shotton MICROMASS UK LIMITED Floats Road Wythenshawe Manchester M23 9LZ UK +44 (0) 161 718 4548 ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user