From: Scott M S. <st...@us...> - 2002-08-06 12:00:18
|
User: starksm Date: 02/08/06 05:00:18 Modified: src/main/org/jboss/security/plugins Tag: Branch_2_4 JaasSecurityManager.java Log: Don't allow login cache lookups for authorization information cause expired entries to be flushed. Only authentication lookups should do this or else an authenticated user can end up not seeing their expected authorization level. This occurs when the login cache entry expires immeadiately after authentication. Revision Changes Path No revision No revision 1.7.2.14 +21 -9 jbosssx/src/main/org/jboss/security/plugins/JaasSecurityManager.java Index: JaasSecurityManager.java =================================================================== RCS file: /cvsroot/jboss/jbosssx/src/main/org/jboss/security/plugins/JaasSecurityManager.java,v retrieving revision 1.7.2.13 retrieving revision 1.7.2.14 diff -u -r1.7.2.13 -r1.7.2.14 --- JaasSecurityManager.java 16 May 2002 00:33:28 -0000 1.7.2.13 +++ JaasSecurityManager.java 6 Aug 2002 12:00:17 -0000 1.7.2.14 @@ -50,7 +50,7 @@ @author <a href="on...@ib...">Oleg Nitz</a> @author Sco...@jb... - @version $Revision: 1.7.2.13 $ + @version $Revision: 1.7.2.14 $ */ public class JaasSecurityManager implements SubjectSecurityManager, RealmMapping { @@ -182,7 +182,7 @@ public boolean isValid(Principal principal, Object credential) { // Check the cache first - DomainInfo cacheInfo = getCacheInfo(principal); + DomainInfo cacheInfo = getCacheInfo(principal, true); boolean isValid = false; if( cacheInfo != null ) @@ -204,7 +204,7 @@ { Principal result = principal; // Get the CallerPrincipal group member - DomainInfo info = getCacheInfo(principal); + DomainInfo info = getCacheInfo(principal, false); if( info != null ) { result = info.callerPrincipal; @@ -234,7 +234,7 @@ Subject subject = getActiveSubject(); if( subject != null ) { - DomainInfo info = getCacheInfo(principal); + DomainInfo info = getCacheInfo(principal, false); Group roles = null; if( info != null ) roles = info.roles; @@ -263,7 +263,7 @@ Subject subject = getActiveSubject(); if( subject != null ) { - DomainInfo info = getCacheInfo(principal); + DomainInfo info = getCacheInfo(principal, false); Group roles = null; if( info != null ) @@ -286,7 +286,7 @@ Subject subject = getActiveSubject(); if( subject != null ) { - DomainInfo info = getCacheInfo(principal); + DomainInfo info = getCacheInfo(principal, false); Group roles = null; if( info != null ) roles = info.roles; @@ -416,9 +416,18 @@ /** An accessor method that synchronizes access on the domainCache to avoid a race condition that can occur when the cache entry expires - in the presence of multi-threaded access. + in the presence of multi-threaded access. The allowRefresh flag should + be true for authentication accesses and false for authorization accesses. + If it were to be true for an authorization access a previously authenticated + user could be seen to not have their expected permissions due to a cache + expiration. + + @param principal, the caller identity whose cached credentials are to + be accessed. + @param allowRefresh, a flag indicating if the cache access should flush + any expired entries. */ - private DomainInfo getCacheInfo(Principal principal) + private DomainInfo getCacheInfo(Principal principal, boolean allowRefresh) { if( domainCache == null ) return null; @@ -426,7 +435,10 @@ DomainInfo cacheInfo = null; synchronized( domainCache ) { - cacheInfo = (DomainInfo) domainCache.get(principal); + if( allowRefresh ) + cacheInfo = (DomainInfo) domainCache.get(principal); + else + cacheInfo = (DomainInfo) domainCache.peek(principal); } return cacheInfo; } |