Menu
▾
▴
[jboss-cvs] jbosssx/src/main/org/jboss/security/plugins JaasSecurityManager.java
|
From: Scott M S. <st...@us...> - 2002-08-06 12:00:18
|
User: starksm
Date: 02/08/06 05:00:18
Modified: src/main/org/jboss/security/plugins Tag: Branch_2_4
JaasSecurityManager.java
Log:
Don't allow login cache lookups for authorization information cause expired
entries to be flushed. Only authentication lookups should do this or else
an authenticated user can end up not seeing their expected authorization
level. This occurs when the login cache entry expires immeadiately after
authentication.
Revision Changes Path
No revision
No revision
1.7.2.14 +21 -9 jbosssx/src/main/org/jboss/security/plugins/JaasSecurityManager.java
Index: JaasSecurityManager.java
===================================================================
RCS file: /cvsroot/jboss/jbosssx/src/main/org/jboss/security/plugins/JaasSecurityManager.java,v
retrieving revision 1.7.2.13
retrieving revision 1.7.2.14
diff -u -r1.7.2.13 -r1.7.2.14
--- JaasSecurityManager.java 16 May 2002 00:33:28 -0000 1.7.2.13
+++ JaasSecurityManager.java 6 Aug 2002 12:00:17 -0000 1.7.2.14
@@ -50,7 +50,7 @@
@author <a href="on...@ib...">Oleg Nitz</a>
@author Sco...@jb...
- @version $Revision: 1.7.2.13 $
+ @version $Revision: 1.7.2.14 $
*/
public class JaasSecurityManager implements SubjectSecurityManager, RealmMapping
{
@@ -182,7 +182,7 @@
public boolean isValid(Principal principal, Object credential)
{
// Check the cache first
- DomainInfo cacheInfo = getCacheInfo(principal);
+ DomainInfo cacheInfo = getCacheInfo(principal, true);
boolean isValid = false;
if( cacheInfo != null )
@@ -204,7 +204,7 @@
{
Principal result = principal;
// Get the CallerPrincipal group member
- DomainInfo info = getCacheInfo(principal);
+ DomainInfo info = getCacheInfo(principal, false);
if( info != null )
{
result = info.callerPrincipal;
@@ -234,7 +234,7 @@
Subject subject = getActiveSubject();
if( subject != null )
{
- DomainInfo info = getCacheInfo(principal);
+ DomainInfo info = getCacheInfo(principal, false);
Group roles = null;
if( info != null )
roles = info.roles;
@@ -263,7 +263,7 @@
Subject subject = getActiveSubject();
if( subject != null )
{
- DomainInfo info = getCacheInfo(principal);
+ DomainInfo info = getCacheInfo(principal, false);
Group roles = null;
if( info != null )
@@ -286,7 +286,7 @@
Subject subject = getActiveSubject();
if( subject != null )
{
- DomainInfo info = getCacheInfo(principal);
+ DomainInfo info = getCacheInfo(principal, false);
Group roles = null;
if( info != null )
roles = info.roles;
@@ -416,9 +416,18 @@
/** An accessor method that synchronizes access on the domainCache
to avoid a race condition that can occur when the cache entry expires
- in the presence of multi-threaded access.
+ in the presence of multi-threaded access. The allowRefresh flag should
+ be true for authentication accesses and false for authorization accesses.
+ If it were to be true for an authorization access a previously authenticated
+ user could be seen to not have their expected permissions due to a cache
+ expiration.
+
+ @param principal, the caller identity whose cached credentials are to
+ be accessed.
+ @param allowRefresh, a flag indicating if the cache access should flush
+ any expired entries.
*/
- private DomainInfo getCacheInfo(Principal principal)
+ private DomainInfo getCacheInfo(Principal principal, boolean allowRefresh)
{
if( domainCache == null )
return null;
@@ -426,7 +435,10 @@
DomainInfo cacheInfo = null;
synchronized( domainCache )
{
- cacheInfo = (DomainInfo) domainCache.get(principal);
+ if( allowRefresh )
+ cacheInfo = (DomainInfo) domainCache.get(principal);
+ else
+ cacheInfo = (DomainInfo) domainCache.peek(principal);
}
return cacheInfo;
}
|