AAA Authorization may falsely authorize user to a Shiro-restricted endpoint. In the current design, there is a cached User since it was incorrectly assumed that "doGetAuthorizationInfo()" was called directly after "doGetAuthenticationInfo()" for a given request. However, since multiple threads may access the TokenAuthRealm, there is a case for interleaving. This should be fixed by modifying the Principal object returned by "doGetAuthenticationInfo()" to return appropriate information.

This is an unpolished script that shows this behavior:

[ryan@awesomeo ~]$ cat test.py
import Queue
import threading
import requests

url = 'http://localhost:8181/restconf/modules/'
class myThread (threading.Thread):
def _init_(self, user, password):
threading.Thread._init_(self)
self.user = user
self.password = password
def run(self):
self.doget()
def doget(self):
resp = requests.get(url, auth=(self.user,self.password))
if self.user=='admin':
if resp.status_code != 200:
print "error " + str(resp.status_code)
else:
if resp.status_code != 401:
print "error2 " + str(resp.status_code)

if _name=='main_':
threads = []
q = Queue.Queue()
for i in range(0,100):
thread = myThread( 'admin', 'admin' )
thread2 = myThread( 'user', 'user' )
thread3 = myThread('admin','admin')
thread.start()
thread2.start()
thread3.start()
threads.append(thread)
threads.append(thread2)
threads.append(thread3)
for t in threads:
t.join()
[ryan@awesomeo ~]$

In the future, this script should be added to CSIT, but due to time constraints was tested manually.