[JBoss-dev] [JBoss JIRA] Resolved: (JBAS-1320) Security Hole Created by MDB Deployment

Tue, 25 Jan 2005 04:50:57 -0800 

     [ http://jira.jboss.com/jira/browse/JBAS-1320?page=history ]
     
Scott M Stark resolved JBAS-1320:
---------------------------------

     Resolution: Done
    Fix Version:  JBossAS-4.0.2RC1
                 JBossPOJOServer-1.0 Alpha

The security context created by the JMSContainerInvoker is now cleared as well.

> Security Hole Created by MDB Deployment
> ---------------------------------------
>
>          Key: JBAS-1320
>          URL: http://jira.jboss.com/jira/browse/JBAS-1320
>      Project: JBoss Application Server
>         Type: Bug
>   Components: Security
>     Versions: JBossAS-3.2.6 Final
>     Reporter: eugene75
>     Assignee: Scott M Stark
>     Priority: Blocker
>      Fix For:  JBossAS-3.2.7 Final,  JBossAS-4.0.2RC1, JBossPOJOServer-1.0 
> Alpha

>
>
> During the deployment of a message driven bean, the container creates a 
> connection to the message queue using the user/pwd provided by the deployment 
> descriptor. The authenticated subject created by this operation is bound to 
> the current thread (via the security association class) using a ThreadLocal. 
> The thread that deploys components existing in the deploy directory at 
> startup is the "main" thread. This means that the "main" thread has a 
> security association. This security association (meaning the Subject bound to 
> the thread by a ThreadLocal) is then copied to every other thread created by 
> JBoss, including the the HTTP processor threads, class loader threads, etc. 
> The very first time the application is accessed using one of the HTTP 
> processor threads, it has the security association create the jms login. Once 
> the processor thread has processed one request, the security association is 
> cleared and functions normally. 
> A partial workaround is to not deploy the MDBs until after JBoss has finished 
> starting up. This prevents the jms-connection user security association from 
> being inherited by the HTTP processor threads. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://jira.jboss.com/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
JBoss-Development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-development

Reply via email to