[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]
Ivan Dubrov updated GERONIMO-677:
---------------------------------
Component: security
(was: web)
Priority: Critical (was: Major)
The issue seems more critical than it was!
Even loging in second time from second browser (completely separate request)
does not help, the second login gets both roles together - "user" and
"manager", although it is impossible case.
Here is the value of ContextManager.getCurrentCaller() (after the second login,
when I log in as a user after logging in as a manager in the other browser)
converted to string:
Subject:
Principal: user
Principal: manager
Principal: user
Principal:
SomeRealm:[org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal:user]
Principal:
SomeRealm:[org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal:manager]
Principal:
SomeRealm:[org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal:user]
Principal:
org.apache.geronimo.security.IdentificationPrincipal[[1120652737562:0xb464eb7d6d21b0ab9ba3afbac26621fd58598f54]]
The output is done with the following code in mine JSP:
<%
javax.security.auth.Subject caller =
org.apache.geronimo.security.ContextManager.getCurrentCaller();
%><%=caller%>
Note that there is two GroupPrincipals - "user" and "manager". It seems that it
is incorrectly left after the first log in (although it was done from the
separate browser).
> Repeated login (after session invalidation) with different credentials
> results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Priority: Critical
>
> Consider we have two users, "user" with role "user" and "manager" with role
> "manager" and two secured areas /user/* and /manager/*, so only "user"'s can
> access pages with URL /user/* and only "manager"'s can access pages with URL
> /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if
> we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be
> logged out, so we cannot access nor /user/*, nor /manager/* pages - server
> redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets -
> /user/* and /manager/*! It means that authenticated user owns both roles
> "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
