[JBoss-dev] Bug 439813 - Not fixed properly

Fri, 13 Jul 2001 10:20:43 -0700 

The JaasSecurityManager does not set the activeSubject for the thread after the 
unauthenticated user has already been authenticated.  The problem exists in the method 
validateCache, please see the code segments below.

Jason Rasmussen
[EMAIL PROTECTED]

***** Original Code ********
    /** Validate the cache credential value against the provided credential
     */
    private boolean validateCache(DomainInfo info, Object credential)
    {
        Object subjectCredential = info.credential;
        boolean isValid = false;
        // Check for a null credential as can be the case for an anonymou user
        if( credential == null )
        {
           // Subject credential must also be null
           isValid = subjectCredential == null;
        }
        if( isValid == true )
           return true;

        if( subjectCredential.getClass().isAssignableFrom(credential.getClass()) == 
false )
            return false;

        if( subjectCredential instanceof Comparable )
        {
            Comparable c = (Comparable) subjectCredential;
            isValid = c.compareTo(credential) == 0;
        }
        else if( subjectCredential instanceof char[] )
        {
            char[] a1 = (char[]) subjectCredential;
            char[] a2 = (char[]) credential;
            isValid = Arrays.equals(a1, a2);
        }
        else if( subjectCredential instanceof byte[] )
        {
            byte[] a1 = (byte[]) subjectCredential;
            byte[] a2 = (byte[]) credential;
            isValid = Arrays.equals(a1, a2);
        }
        else
        {
            isValid = subjectCredential.equals(credential);
        }

        if( isValid )
        {
            activeSubject.set(info.subject);
        }

        return isValid;
    }

***** Suggested Fix ********

     /** Validate the cache credential value against the provided credential
     */
    private boolean validateCache(DomainInfo info, Object credential)
    {
        Object subjectCredential = info.credential;
        boolean isValid = false;
        // Check for a null credential as can be the case for an anonymous user
        if( credential == null )
        {
            // Subject credential must also be null
            isValid = subjectCredential == null;
        } 
        else
        {
            if( subjectCredential.getClass().isAssignableFrom(credential.getClass()) 
== false )
                return false;

            if( subjectCredential instanceof Comparable )
            {
                Comparable c = (Comparable) subjectCredential;
                isValid = c.compareTo(credential) == 0;
            }
            else if( subjectCredential instanceof char[] )
            {
                char[] a1 = (char[]) subjectCredential;
                char[] a2 = (char[]) credential;
                isValid = Arrays.equals(a1, a2);
            }
            else if( subjectCredential instanceof byte[] )
            {
                byte[] a1 = (byte[]) subjectCredential;
                byte[] a2 = (byte[]) credential;
                isValid = Arrays.equals(a1, a2);
            }
            else
            {
                isValid = subjectCredential.equals(credential);
            }
        }

        if( isValid )
        {
            activeSubject.set(info.subject);
        }

        return isValid;
    }

_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development

Reply via email to