-
1. Re: Concurrency bug in JaasSecurityManager
starksm64 Dec 9, 2006 11:15 AM (in response to cyberax)Version details please.
-
2. Re: Concurrency bug in JaasSecurityManager
starksm64 Dec 9, 2006 12:25 PM (in response to cyberax)Also note that there is no reliance on shared subjects in the server post 4.0.3SP1 so the details of where you believe a shared subject is in use are needed.
-
3. Re: Concurrency bug in JaasSecurityManager
cyberax Dec 9, 2006 6:26 PM (in response to cyberax)"scott.stark@jboss.org" wrote:
Also note that there is no reliance on shared subjects in the server post 4.0.3SP1 so the details of where you believe a shared subject is in use are needed.
Strange, I'm using jboss-4.0.5.GA (build from source package). It definitely relies on shared subjects.
The version tag from JaasSecurityManager.java:
@version $Revision: 57203 $
BTW, there's also another small bug in JaasSecurityManager.java - no check for null 'domainCache' in getPrincipal() method. -
4. Re: Concurrency bug in JaasSecurityManager
starksm64 Dec 9, 2006 6:36 PM (in response to cyberax)And the usage that results in the shared subject is? When a jboss security aspect authenticates against the security manager, it obtains a copy of the subject and uses that for subsequent authorization checks.
-
5. Re: Concurrency bug in JaasSecurityManager
cyberax Dec 9, 2006 6:57 PM (in response to cyberax)It doesn't perform deep copy of Subjects, so the copied subject shares its role collection with the original subject.
Deep copy is controlled by the flag which is never set to 'true':/** The flag to indicate that the Subject sets need to be deep copied*/ private boolean deepCopySubjectOption = false;
-
6. Re: Concurrency bug in JaasSecurityManager
starksm64 Dec 9, 2006 7:23 PM (in response to cyberax)You need to set the DeepCopySubjectMode to true on the org.jboss.security.plugins.JaasSecurityManagerService in conf/jboss-service.xml.
-
7. Re: Concurrency bug in JaasSecurityManager
cyberax Dec 9, 2006 11:18 PM (in response to cyberax)Yes, that solves the problem.
I was worried that this setting can break something subtle (because it is undocumented). So I choose to ask here. -
8. Re: Concurrency bug in JaasSecurityManager
starksm64 Dec 10, 2006 9:50 AM (in response to cyberax)Its documented on the wiki:
http://wiki.jboss.org/wiki/Wiki.jsp?page=JaasSecurityManagerService