Agreed. I'll update it.
----- Original Message -----
From: "Shotton Mark MMUk" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 15, 2001 6:12 AM
Subject: [JBoss-user] JBossRealm Security Bug
> Hello there
>
> There is an omission in the version of
org.jboss.tomcat.security.JbossRealm
> that I checked out of CVS from the contrib/tomcat area. The principal and
> credentials propogated from Tomcat are stored in ThreadLocal objects in
> org.jboss.security.SecurityAssociation. However these ThreadLocal
variables
> are never reset to null. So the threads are returned to the pool and can
be
> used again with the principal and credentials still set (not very
secure!).
>
> The JbossRealm should implement a method to reset the principal and
> credentials to null. I have done this as below:
>
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
