#215 synced cache in JaasSecurityManager

v2.4 (stable)
Scott M Stark
JBossSX (25)
Chris Harris

JBoss 2.4.4 used, also experienced under 2.4.5RC3

Under heavy load, where multiple threads are using the
same user Principal, the credentials cache can
occasionally fail to supply credentials.

An example would be where many MDBs are deployed, all
using the same identity. If these MDBs call other EJBs
also, many threads can access the credentials cache in
JaasSecruityManager simultaneously. This can result in
calls to the updateCache() method removing and
reinserting credentials for a user, whilst at the same
time SecurityInterceptor calls doesUserHaveRole()
which checks the contents of the cache. There is a
small space between the remove() and insert() in the
updateCache() method where the credentials are not in
the cache. The result is that doesUserHaveRole() can
fail, and SecurityInterceptor throws a
SecurityException at line 215.

The attached patch to JaasSecurityManager seems to fix
this intermittent problem by synchronising access to
the cache for the read and update operations. This may
produce a minor performance hit but ensures
correctness. This patch was applied to CVS revision


  • Chris Harris
    Chris Harris

    JaasSecurityManager patch

  • Scott M Stark
    Scott M Stark

    • assigned_to: nobody --> starksm
    • status: open --> closed-fixed
  • Scott M Stark
    Scott M Stark

    Logged In: YES

    Yes, there is a race condition here. I have applied a
    similar fix for 2.4.5.