0 Replies Latest reply on Aug 20, 2002 3:13 PM by Kenneth Roper

    Security flaw: incorrect principal used by JBoss

    Kenneth Roper Newbie

      I have experienced a non-reproducible error in Form-based (with DatabaseServerLoginModule) JAAS using Tomcat 4.0.4 bundled with JBoss 2.4.7.

      I have seen evidence which strongly indicates that the following is occurring:

      If a (Stateful Session) EJB is accessed from an protected page, the current principal is associated with the currently executing thread, and everything works fine. From my shaky knowledge of the JBoss internals, I think the principal is stored in a ThreadLocal variable, and the thread itself comes from a pool, maintained either by JBoss or Catalina.

      If the EJB is accessed from an unprotected page, the current principal is NOT associated with the currently executing thread. JBoss then uses the unauthenticatedIdentity, as expected.

      However, if this thread has been used from a protected page before to access an EJB, but is now used from an unprotected page, it still remembers the principal which was last used! Think about it: there is no guarantee the same logged-in user will get the same thread from the pool on subsequent hits on the website. This current user's principal is not used to overwrite the existing principal, as the call is made from a non-protected page. The principal used is therefore out of context, with possibly different security permissions to the current user!

      One of the reasons I've come to this conclusion is I am getting the following error when I make an EJB call from an unprotected page in a session which I have not logged in to:

      [11:41:56,209,RequestHandler] TRANSACTION ROLLBACK EXCEPTION:
      javax.transaction.TransactionRolledbackException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Authentication exception, principal=frank; nested exception is:
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Authentication exception, principal=frank
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Authentication exception, principal=frank
      java.lang.SecurityException: Authentication exception, principal=frank
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:167)
      at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:116)
      ...


      However, "frank" is not the current user, nor the unauthenticatedIdentity user! Frank is acutually another user of the system who has accessed the system previously, but is now logged off.

      To further confuse things, the method it is trying to access has "unchecked" permissions anyway!

      This theory is very difficult to prove as the error is not consistently reproducible, and I don't know the JBoss / Tomcat code well enough to find out exactly when or why it is occurring.

      However, if I'm right it has serious implications.

      I would really appreciate any feedback on this, either agreeing that this may be a bug, or pointing out a mistake in my reasoning. And especially if anyone has a workaround! This bug has reared it's head given enough testing on every unprotected page which accesses our EJB tier!

      Thanks
      Kenneth