Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-6111

Memory Leak And Security hole in ClientLoginModule

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 5.4.0.1
    • Fix Version/s: 5.4.1
    • Component/s: None
    • Tags:
    • Impact type:
      Deployment change
    • Upgrade notes:
      Hide

      Add the new login-default bundle to non JBoss distributions.
      For hotfix package: remove the config/authentication-config.xml from the template, and also update webengine-core (because some classes were moved in the new project). Updating the core is optional since it contains only an enforcement rule on null principals.

      Show
      Add the new login-default bundle to non JBoss distributions. For hotfix package: remove the config/authentication-config.xml from the template, and also update webengine-core (because some classes were moved in the new project). Updating the core is optional since it contains only an enforcement rule on null principals.

      Description

      The ClientLoginModule is the JAAS login module used on distribution others than JBoss.

      Memory leak on tomcat distribution:
      The LoginStackCleaner filter must be used to reset the ogin stack after each HTTP request - but it is not declared in tomcat distribution.

      Security Hole (on tomcat distribution):
      When using Open ULRs (see extension point org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService#openUrl) and creating core sessions will use the context of the last user logged in the current thread (thread local variable) because the filter is not registered to clear the thread local login stack.

      Also, e must enforce the a session creation - and throw an exception if someone want to create a new session but no security context exists (not logged in).
      The same should be done in webengine context to avoid creating a session if current principal is null.

      Here is a list of modifications that needs to be done:

      1. In LocalSession.createSession - add a check on principal and throw an exception if it is null.
      2. AbstractWebContext.initializeBindings - add a check on principal to avoid binding a coresession if the principal is null.
      3. Create a new project nuxeo-platform-login-default that deploy the login stack cleanup filter and the clientloginmodule web propagator. Remove config/authentication-config.xml file from tomcat distribution (and jetty one) - since it will be put in the new project.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: