[JIRA] Created: (NXP-6111) Memory Leak And Security hole in ClientLoginModule

Tue, 07 Dec 2010 06:59:35 -0800 

Memory Leak And Security hole in ClientLoginModule
--------------------------------------------------

                 Key: NXP-6111
                 URL: https://jira.nuxeo.org/browse/NXP-6111
             Project: Nuxeo Enterprise Platform
          Issue Type: Bug
    Affects Versions: 5.4.0.1
            Reporter: Bogdan Stefanescu
            Assignee: Bogdan Stefanescu
            Priority: Critical
             Fix For: 5.4.x


The ClientLoginModule is the JAAS login module used on distribution others than 
JBoss.

Memory leak on tomcat distribution:  
The LoginStackCleaner filter must be used to reset the ogin stack after each 
HTTP request - but it is not declared in tomcat distribution.

Security Hole (on tomcat distribution): 
When using Open ULRs (see  extension point 
org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService#openUrl)
 and creating core sessions will use the context of the last user logged in the 
current thread (thread local variable) because the filter is not registered to 
clear the thread local login stack.

Also, e must enforce the a session creation - and throw an exception if someone 
want to create a new session but no security context exists (not logged in).
The same should be done in webengine context to avoid creating a session if 
current principal is null.

Here is a list of modifications that needs to be done:

1. In LocalSession.createSession - add a check on principal and throw an 
exception if it is null.
2. AbstractWebContext.initializeBindings -  add a check on principal to avoid 
binding a coresession if the principal is null.
3. Create a new project nuxeo-platform-login-default that deploy the login 
stack cleanup filter and the clientloginmodule web propagator. Remove 
config/authentication-config.xml file from tomcat distribution (and jetty one) 
- since it will be put in the new project.







-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets

Reply via email to