You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Srinivasan Krish <sr...@yahoo.com> on 2002/10/13 00:20:48 UTC
Security hole in SessionValidation??
Hi,
I am using Jetspeed1.3.1b. This seems to be a
security hole that one can see others portlets just by
forming a URL without knowing password.
One of the portlet, for user 'turbine', is
HelloVelocity which would say 'Hello' message for a
given text in this portlet's textbox.
If I give the following URL (got this url from
HelloVelocity portlets's FORM tag) directly in the
browser's URL tab, I am able to see all of the
portlets of 'turbine' user (but without Min. Max.
Close...controls). Also HelloVelocity portlet
displays with the text that I specified in the URL.
This is happening even after I,
- logged out of Turbine user session,
- opened a new browser instance,
- restart the Webserver.
http://localhost:8080/jetspeed/portal/user/turbine/page/default.psml/template/Home?text=Srini&eventSubmit_doUpdate=Update
When I logged in as a user 'turbine' properly, I am
able to see the Hello message with the text that was
given before in the URL directly.
When I walk through Jetspeed
'TemplateSessionValidator' class, I see the following
lines in doPerform() method,
.....
.....
// The user may have not logged in, so create
a "guest" user.
if ( data.getUser() == null)
{
data.setUser(JetspeedSecurity.getAnonymousUser());
data.save();
}
.....
.....
So I guess user Turbine's portlets are executed as a
Anonymous user (this may be reason for showing
portlets without any controls).
Any solution to fix this problem?
Thanks in Advance,
Srini.K
__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>