Repeated login (after session invalidation) with different credentials results in incorrect
role set.
-----------------------------------------------------------------------------------------------------
Key: GERONIMO-677
URL: http://issues.apache.org/jira/browse/GERONIMO-677
Project: Geronimo
Type: Bug
Components: web
Versions: 1.0-M4
Reporter: Ivan Dubrov
Consider we have two users, "user" with role "user" and "manager" with role "manager" and
two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/*
and only "manager"'s can access pages with URL /manager/*.
If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access
/manager/* pages. It is OK.
Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so
we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It
is OK.
But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*!
It means that authenticated user owns both roles "user" and "manager", but this is impossible
combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
|