Yeah that is a serious problem, we need Session based authentication. marcf
|-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED]]On Behalf Of Greg |Wilkins |Sent: Monday, February 25, 2002 4:31 PM |To: [EMAIL PROTECTED]; jules |Subject: [JBoss-dev] Security problem in authentication model. | | | |There is a problem with the use of ThreadLocals to record Authentication |when the client (in this case Jetty) is using ThreadPools. | |I have previously mentioned this, but now I have confirmation that it is |a problem for a Client. | |He created a small thread pool for the listener (4 threads), then |used 4 browsers to hit authenticated pages and authenticated |with a different user for each browser. | |The effect of this was for the JBoss authentication mechanism to |create ThreadLocal authentications for each of these threads. | |He then got new browsers and started hitting unauthenticated |pages that reported the request and EJB auth details. These |new requests receive random EJB authentication depending on |which thread from the thread pool they are allocated: | | >>23:33:25,434 INFO [Default] request.getUserPrincipal=null; | >>ctx.getCallerPrincipal().getName()=comercial | >>23:33:25,464 INFO [Default] request.getUserPrincipal=null; | >>ctx.getCallerPrincipal().getName()=comercial | >>23:33:38,333 INFO [Default] request.getUserPrincipal=null; | >>ctx.getCallerPrincipal().getName()=cliente | >>23:33:38,373 INFO [Default] request.getUserPrincipal=null; | >>ctx.getCallerPrincipal().getName()=cliente | >>23:34:46,341 INFO [Default] request.getUserPrincipal=null; | >>ctx.getCallerPrincipal().getName()=cliente | >>23:34:46,371 INFO [Default] request.getUserPrincipal=null; | >>ctx.getCallerPrincipal().getName()=cliente | >>23:34:57,186 INFO [Default] request.getUserPrincipal=null; | >>ctx.getCallerPrincipal().getName()=admin | >>23:34:57,236 INFO [Default] request.getUserPrincipal=null; | >>ctx.getCallerPrincipal().getName()=admin | | |We need a mechanism to unauthenticate Threads, so the Jetty can |call this after each request. | |Note that it is not an option to get rid of the ThreadPool as that |would be a HUGE performance hit. | | |regards | | |-- |Greg Wilkins<[EMAIL PROTECTED]> GB Phone: +44-(0)7092063462 |Mort Bay Consulting Australia and UK. Mbl Phone: +61-(0)4 17786631 |http://www.mortbay.com AU Phone: +61-(0)2 98107029 | | |_______________________________________________ |Jboss-development mailing list |[EMAIL PROTECTED] |https://lists.sourceforge.net/lists/listinfo/jboss-development _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development