A leak of the authenticated JAAS Subject back to the tomcat thread pool exists in 3.2.3. The Subject associated with the thread was not being cleared, but the the principal and credentials were. Although this does not affect authentication or authorization, it can cause a previously authenticated Subject to be seen in an unauthenticated context. Applications associating sensitive information with the Subject or basing security decisions on the Subject via custom integration with JBoss could be affected by this leak.
Patched versions of the jbossweb-tomcat41.sar and jbossweb-tomcat50.sar are available in the JBoss-3.2.3 Files section as jbossweb-tomcat41-323p1.sar.zip and jbossweb-tomcat50-323p1.sar.zip respectively. The source code for this patch has been tagged with JBoss_3_2_3P1, and the patched services can be obtained from here: https://sourceforge.net/project/showfiles.php?group_id=22866&package_id=16942&release_id=196677 See bug: [ 962223 ] SecurityAssociation mixing users for more info. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3836700#3836700 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3836700 ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
