The method
defaultLogin(Principal principal, Object credential)
in JaasSecurityManager instantiates a new LoginContext. The constructor of
LoginContext delegates to com.sun...ConfigFile. The method
getAppConfigurationEntry is not thread safe.
StackTrace:
[ERROR,UserInfo] CONTAINER EXCEPTION:
java.lang.SecurityException: Configuration Error:
Line 3: expected '{', found 'oi'
at
com.sun.security.auth.login.ConfigFile.getAppConfigurationEntry(ConfigFile.java:221)
at
javax.security.auth.login.LoginContext.init(LoginContext.java:172)
at
javax.security.auth.login.LoginContext.<init>(LoginContext.java:266)
at
javax.security.auth.login.LoginContext.<init>(LoginContext.java:380)
at
org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:393)
at
org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:361)
at
org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:217)
at
org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:163)
at
org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:91)
at
org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:103)
at
org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:268)
at
org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invokeHome(JRMPContainerInvoker.java:387)
at java.lang.reflect.Method.invoke(Native
Method)
at
sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:241)
at
sun.rmi.transport.Transport$1.run(Transport.java:152)
at
java.security.AccessController.doPrivileged(Native
Method)
at
sun.rmi.transport.Transport.serviceCall(Transport.java:148)
at
sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:465)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:706)
at java.lang.Thread.run(Thread.java:484)
Attachment: a java source, that reproduces the error.
Proposal: make defaultLogin(..) synchronized.
Applies: at least to 2.4.4 and 3.0.0
Sorry, I tried to post this on sourceforge several times with both
konqueror and mozilla, but it didn't work.
Holger Engels
package reflect;
import java.io.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
public class Test
{
public static void main(String args[])
throws Exception
{
String resource = "auth.conf";
java.net.URL loginConfig = Test.class.getClassLoader().getResource(resource);
if(loginConfig != null) {
System.setProperty("java.security.auth.login.config",
loginConfig.toExternalForm());
}
System.out.println("init");
int count = new Integer(args[0]).intValue();
Thread[] threads = new Thread[count];
for (int i=0; i < count; i++) {
threads[i] = new Thread(new TestThread());
}
System.out.println("start");
for (int i=0; i < count; i++) {
threads[i].start();
}
}
}
class TestThread
implements Runnable
{
public void run() {
try {
LoginContext lc = new LoginContext("juna", new CallbackHandler() {
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException
{
}
});
}
catch (Exception e) {
System.err.println(e.getMessage());
e.printStackTrace(System.err);
}
}
}
