Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PAYARA-2561 CORBA authentication leakage #2493

Merged
merged 1 commit into from
Mar 3, 2018
Merged

PAYARA-2561 CORBA authentication leakage #2493

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 15 additions & 11 deletions ....security/src/main/java/com/sun/enterprise/iiop/security/SecServerRequestInterceptor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
* only if the new code is made subject to such option by the copyright
* holder.
*/
// Portions Copyright [2018] [Payara Foundation and/or its affiliates]

package com.sun.enterprise.iiop.security;

Expand Down Expand Up @@ -95,7 +96,16 @@ public class SecServerRequestInterceptor
}
private static LocalStringManagerImpl localStrings =
new LocalStringManagerImpl(SecServerRequestInterceptor.class);
private InheritableThreadLocal counterForCalls = new InheritableThreadLocal();

// the below cannot be InheritableThreadLocal because the counter inside
// would be reused by thre thread pool, thus it's a non-inheritable ThreadLocal
// See PAYARA-2561
private ThreadLocal<Counter> counterForCalls = new ThreadLocal<Counter>() {
@Override
protected Counter initialValue() {
return new Counter();
}
};

/**
* Hard code the value of 15 for SecurityAttributeService until
Expand Down Expand Up @@ -613,11 +623,7 @@ public void receive_request_service_contexts(ServerRequestInfo ri)
// semantics. e.g. if receive_req for some other PI throws an
// exception - the send_exception will be called that will muck
// the stack up
Counter cntr = (Counter)counterForCalls.get();
if (cntr == null){
cntr = new Counter();
counterForCalls.set(cntr);
}
Counter cntr = counterForCalls.get();
if (cntr.count == 0) {
//Not required
//SecurityService secsvc = Csiv2Manager.getSecurityService();
Expand Down Expand Up @@ -667,12 +673,10 @@ public void destroy()

private void unsetSecurityContext() {
try {
Counter cntr = (Counter) counterForCalls.get();
if (cntr == null) { // sanity check
cntr = new Counter(1);
}
Counter cntr = counterForCalls.get();
cntr.decrement();
if (cntr.count == 0) {
if (cntr.count <= 0) {
cntr.count = 0;
SecurityContextUtil.unsetSecurityContext(isLocal());

}
Expand Down