Antwort: invoking LoginUser twice doesn't change ACL

[USchmidt]

Hello Joachim,

I had the same problem. My solution was to invalidate the session on
logout.
>From my experience the problem shows up if you switch your login without
leaving your browser. Than the session cookie still exist after logout.
What I think what happens is that the session still exists, Tomcat does not
generate a new one, and so you get a mixture of your old session and the
new one ....

It�s a minor security bug, because most people did not realy share their
computer. It�s only a problem if you call a turbine application from
Internet coffee, and the next guy logs into the same application you called
...

My solution was to add those two lines to the LogoutAction.doPerform -
Method :

HttpSession hSession = data.getSession();
hSession.invalidate();

Regards

  Uwe



                                                                       
             Joachim Draeger                                           
             <[EMAIL PROTECTED]>                                         
                                                                        An
             03.02.2005 12:31           Turbine Users List             
                                        <turbine-user@jakarta.apache.org>
                                                                     Kopie
              Bitte antworten                                          
                    an                                               Thema
              "Turbine Users            invoking LoginUser twice doesn't
                   List"                change  ACL                    
             <[EMAIL PROTECTED]                                         
             arta.apache.org>                                          
                                                                       
                                                                       
                                                                       
                                                                       





Hello,

I've set up Turbine 2.3.1.

When I login and then go back to the login form without logging out, and
login as another user, the username changes, but the ACL remains the same!

Is it a bug or a feature? :-)

To work around I did the following:

------------------------------------
package org.apache.turbine.app.M.modules.actions;

import org.apache.turbine.modules.actions.LogoutUser;
import org.apache.turbine.util.RunData;
import org.apache.turbine.util.security.TurbineSecurityException;

public class LoginUser extends
org.apache.turbine.modules.actions.LoginUser {
    public void doPerform(RunData data) throws TurbineSecurityException {
        LogoutUser logout=new LogoutUser();
        logout.doPerform(data);
        data.setMessage("");
        super.doPerform(data);
    }
}
-------------------------------------

Just invoking data.setACL(null) before loging in didn't help!

regards,

Joachim




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]