geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Dubrov (JIRA)" <...@geronimo.apache.org>
Subject [jira] Created: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Date Wed, 15 Jun 2005 06:10:51 GMT
Repeated login (after session invalidation) with different credentials results in incorrect
role set.
-----------------------------------------------------------------------------------------------------

         Key: GERONIMO-677
         URL: http://issues.apache.org/jira/browse/GERONIMO-677
     Project: Geronimo
        Type: Bug
  Components: web  
    Versions: 1.0-M4    
    Reporter: Ivan Dubrov


Consider we have two users, "user" with role "user" and "manager" with role "manager" and
two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/*
and only "manager"'s can access pages with URL /manager/*.

If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access
/manager/* pages. It is OK. 

Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so
we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It
is OK.

But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*!
It means that authenticated user owns both roles "user" and "manager", but this is impossible
combination!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message