[JIRA] Updated: (NXP-6111) Memory Leak And Security hole in ClientLoginModule

Tue, 07 Dec 2010 09:38:37 -0800 

     [ 
https://jira.nuxeo.org/browse/NXP-6111?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Florent Guillaume updated NXP-6111:
-----------------------------------

    Impact type: [Deployment change]

> Memory Leak And Security hole in ClientLoginModule
> --------------------------------------------------
>
>                 Key: NXP-6111
>                 URL: https://jira.nuxeo.org/browse/NXP-6111
>             Project: Nuxeo Enterprise Platform
>          Issue Type: Bug
>    Affects Versions: 5.4.0.1
>            Reporter: Bogdan Stefanescu
>            Assignee: Bogdan Stefanescu
>            Priority: Critical
>             Fix For: 5.4.1
>
>
> The ClientLoginModule is the JAAS login module used on distribution others 
> than JBoss.
> Memory leak on tomcat distribution:  
> The LoginStackCleaner filter must be used to reset the ogin stack after each 
> HTTP request - but it is not declared in tomcat distribution.
> Security Hole (on tomcat distribution): 
> When using Open ULRs (see  extension point 
> org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService#openUrl)
>  and creating core sessions will use the context of the last user logged in 
> the current thread (thread local variable) because the filter is not 
> registered to clear the thread local login stack.
> Also, e must enforce the a session creation - and throw an exception if 
> someone want to create a new session but no security context exists (not 
> logged in).
> The same should be done in webengine context to avoid creating a session if 
> current principal is null.
> Here is a list of modifications that needs to be done:
> 1. In LocalSession.createSession - add a check on principal and throw an 
> exception if it is null.
> 2. AbstractWebContext.initializeBindings -  add a check on principal to avoid 
> binding a coresession if the principal is null.
> 3. Create a new project nuxeo-platform-login-default that deploy the login 
> stack cleanup filter and the clientloginmodule web propagator. Remove 
> config/authentication-config.xml file from tomcat distribution (and jetty 
> one) - since it will be put in the new project.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://jira.nuxeo.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets

Reply via email to