geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-4748) Security context is not cleared before the thread is returned to the pool for Tomcat
Date Wed, 29 Jul 2009 20:16:15 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-4748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12736789#action_12736789
] 

David Jencks commented on GERONIMO-4748:
----------------------------------------

I think the idea of having this valve is our best bet for fixing the problem in 2.1.

I would be more comfortable with it if, instead of clearing the thread context when done,
it restored whatever Callers was there already.

I'm worried that during cross-context dispatch, the request will go through the ThreadCleanerValve
for the 2nd web app context and after return the security context will be missing. This would
cause problems if the servlet tried to do isCallerInRole("foo").

I'm thinking

Callers oldCallers = ContextManager.getCallers();
try {
  next.invoke;
} finally {
   ContextManager.popCallers(oldCallers);
}

What do you think?   

> Security context is not cleared before the thread is returned to the pool for Tomcat
> ------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-4748
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4748
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Tomcat
>    Affects Versions: 2.1.5, 2.2
>            Reporter: Ivan
>            Assignee: Ivan
>            Priority: Critical
>             Fix For: 2.1.5, 2.2
>
>         Attachments: Geronimo-4748-2.1
>
>
> We do some authentication in the TomcatGeronimoRealm, and set the security context, but
it is not cleared later.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message