[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.

Sun, 10 Jul 2005 22:13:29 -0700 

     [ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]

Ivan Dubrov updated GERONIMO-677:
---------------------------------

    Attachment: test.zip

Here is the sample application. Steps to reproduce the behaviour:

1. Open two browsers
2. Access localhost:8080/test/user from first browser, enter credentials 
"user", "user". The page with debug information will be displayed.
3. Access localhost:8080/test/manager from second browser, enter credentials 
"manager", "manager". The page with debug information will be displayed.

Note that is step 3 the debug information will contain both group principals - 
"user" and "manager". Also the second browser now can access both secured areas 
- /user and /manager, although it is authenticated as "manager".

Building: configure build.properties and run "ant"
Deloying: Configure db_create.cmd, run it (it will create two tables, for users 
and groups, and populate with sample data). Note that Derby distribution is 
required (Derby tools are not included in the Geronimo assembly). Then deploy 
test.ear.

I have Geronimo snapshot from the 2005/06/30

> Repeated login (after session invalidation) with different credentials 
> results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
>          Key: GERONIMO-677
>          URL: http://issues.apache.org/jira/browse/GERONIMO-677
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M4
>     Reporter: Ivan Dubrov
>     Assignee: David Jencks
>     Priority: Critical
>  Attachments: db_create.sql, geronimo-application.xml, test.zip
>
> Consider we have two users, "user" with role "user" and "manager" with role 
> "manager" and two secured areas /user/* and /manager/*, so only "user"'s can 
> access pages with URL /user/* and only "manager"'s can access pages with URL 
> /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if 
> we try to access /manager/* pages. It is OK. 
> Now, if we clean the session (request.getSession().invalidate()), we will be 
> logged out, so we cannot access nor /user/*, nor /manager/* pages - server 
> redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - 
> /user/* and /manager/*! It means that authenticated user owns both roles 
> "user" and "manager", but this is impossible combination!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to