[ http://issues.apache.org/jira/browse/GERONIMO-677?page=comments#action_12317099 ]
David Jencks commented on GERONIMO-677: --------------------------------------- Added a simple test, refurbished MultipleLoginDomains test M4: Sending modules/security/src/test/org/apache/geronimo/security/jaas/MultipleLoginDomainTest.java Adding modules/security/src/test/org/apache/geronimo/security/jaas/NoLoginModuleReuseTest.java Transmitting file data .. Committed revision 225798. M5: Sending modules/security/src/test/org/apache/geronimo/security/jaas/MultipleLoginDomainTest.java Adding modules/security/src/test/org/apache/geronimo/security/jaas/NoLoginModuleReuseTest.java Transmitting file data .. Committed revision 225801. > Repeated login (after session invalidation) with different credentials > results in incorrect role set. LOGIN MODULES ARE BEING REUSED > ------------------------------------------------------------------------------------------------------------------------------------ > > Key: GERONIMO-677 > URL: http://issues.apache.org/jira/browse/GERONIMO-677 > Project: Geronimo > Type: Bug > Components: security > Versions: 1.0-M4 > Reporter: Ivan Dubrov > Assignee: David Jencks > Priority: Blocker > Fix For: 1.0-M4, 1.0-M5 > Attachments: db_create.sql, geronimo-application.xml, my-changes.patch, > test.zip > > Consider we have two users, "user" with role "user" and "manager" with role > "manager" and two secured areas /user/* and /manager/*, so only "user"'s can > access pages with URL /user/* and only "manager"'s can access pages with URL > /manager/*. > If we log in as "user", we can access only /user/* pages, "403 Forbidden" if > we try to access /manager/* pages. It is OK. > Now, if we clean the session (request.getSession().invalidate()), we will be > logged out, so we cannot access nor /user/*, nor /manager/* pages - server > redirects to the login page. It is OK. > But if we login second time, as a "manager", we can access both page sets - > /user/* and /manager/*! It means that authenticated user owns both roles > "user" and "manager", but this is impossible combination! -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira