geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Dubrov (JIRA)" <...@geronimo.apache.org>
Subject [jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Date Wed, 06 Jul 2005 12:39:18 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]

Ivan Dubrov updated GERONIMO-677:
---------------------------------

    Component: security
                   (was: web)
     Priority: Critical  (was: Major)

The issue seems more critical than it was!

Even loging in second time from second browser (completely separate request) does not help,
the second login gets both roles together - "user" and "manager", although it is impossible
case.

Here is the value of ContextManager.getCurrentCaller() (after the second login, when I log
in as a user after logging in as a manager in the other browser) converted to string:

Subject: 
    Principal: user
    Principal: manager
    Principal: user
    Principal: SomeRealm:[org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal:user]
    Principal: SomeRealm:[org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal:manager]
    Principal: SomeRealm:[org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal:user]
    Principal: org.apache.geronimo.security.IdentificationPrincipal[[1120652737562:0xb464eb7d6d21b0ab9ba3afbac26621fd58598f54]]

The output is done with the following code in mine JSP:
<%
javax.security.auth.Subject caller = org.apache.geronimo.security.ContextManager.getCurrentCaller();
%><%=caller%>

Note that there is two GroupPrincipals - "user" and "manager". It seems that it is incorrectly
left after the first log in (although it was done from the separate browser).


> Repeated login (after session invalidation) with different credentials results in incorrect
role set.
> -----------------------------------------------------------------------------------------------------
>
>          Key: GERONIMO-677
>          URL: http://issues.apache.org/jira/browse/GERONIMO-677
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M4
>     Reporter: Ivan Dubrov
>     Priority: Critical

>
> Consider we have two users, "user" with role "user" and "manager" with role "manager"
and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/*
and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to
access /manager/* pages. It is OK. 
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out,
so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page.
It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and
/manager/*! It means that authenticated user owns both roles "user" and "manager", but this
is impossible combination!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message