geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Dubrov (JIRA)" <>
Subject [jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Date Wed, 06 Jul 2005 12:39:18 GMT
     [ ]

Ivan Dubrov updated GERONIMO-677:

    Component: security
                   (was: web)
     Priority: Critical  (was: Major)

The issue seems more critical than it was!

Even loging in second time from second browser (completely separate request) does not help,
the second login gets both roles together - "user" and "manager", although it is impossible

Here is the value of ContextManager.getCurrentCaller() (after the second login, when I log
in as a user after logging in as a manager in the other browser) converted to string:

    Principal: user
    Principal: manager
    Principal: user
    Principal: SomeRealm:[]
    Principal: SomeRealm:[]
    Principal: SomeRealm:[]

The output is done with the following code in mine JSP:
<% caller =;

Note that there is two GroupPrincipals - "user" and "manager". It seems that it is incorrectly
left after the first log in (although it was done from the separate browser).

> Repeated login (after session invalidation) with different credentials results in incorrect
role set.
> -----------------------------------------------------------------------------------------------------
>          Key: GERONIMO-677
>          URL:
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M4
>     Reporter: Ivan Dubrov
>     Priority: Critical

> Consider we have two users, "user" with role "user" and "manager" with role "manager"
and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/*
and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to
access /manager/* pages. It is OK. 
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out,
so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page.
It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and
/manager/*! It means that authenticated user owns both roles "user" and "manager", but this
is impossible combination!

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message