geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Dubrov (JIRA)" <...@geronimo.apache.org>
Subject [jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Date Mon, 11 Jul 2005 05:13:12 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]

Ivan Dubrov updated GERONIMO-677:
---------------------------------

    Attachment: test.zip

Here is the sample application. Steps to reproduce the behaviour:

1. Open two browsers
2. Access localhost:8080/test/user from first browser, enter credentials "user", "user". The
page with debug information will be displayed.
3. Access localhost:8080/test/manager from second browser, enter credentials "manager", "manager".
The page with debug information will be displayed.

Note that is step 3 the debug information will contain both group principals - "user" and
"manager". Also the second browser now can access both secured areas - /user and /manager,
although it is authenticated as "manager".

Building: configure build.properties and run "ant"
Deloying: Configure db_create.cmd, run it (it will create two tables, for users and groups,
and populate with sample data). Note that Derby distribution is required (Derby tools are
not included in the Geronimo assembly). Then deploy test.ear.

I have Geronimo snapshot from the 2005/06/30

> Repeated login (after session invalidation) with different credentials results in incorrect
role set.
> -----------------------------------------------------------------------------------------------------
>
>          Key: GERONIMO-677
>          URL: http://issues.apache.org/jira/browse/GERONIMO-677
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M4
>     Reporter: Ivan Dubrov
>     Assignee: David Jencks
>     Priority: Critical
>  Attachments: db_create.sql, geronimo-application.xml, test.zip
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager"
and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/*
and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to
access /manager/* pages. It is OK. 
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out,
so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page.
It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and
/manager/*! It means that authenticated user owns both roles "user" and "manager", but this
is impossible combination!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message