You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <de...@geronimo.apache.org> on 2005/07/28 07:26:18 UTC

[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED

     [ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]

David Jencks updated GERONIMO-677:
----------------------------------

        Summary: Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED  (was: Repeated login (after session invalidation) with different credentials results in incorrect role set.)
    Fix Version: 1.0-M4
       Priority: Blocker  (was: Critical)

If Kevins analysis is correct, login modules are being reused.  This is a very serious problem that must be fixed for M4.

> Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED
> ------------------------------------------------------------------------------------------------------------------------------------
>
>          Key: GERONIMO-677
>          URL: http://issues.apache.org/jira/browse/GERONIMO-677
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M4
>     Reporter: Ivan Dubrov
>     Assignee: David Jencks
>     Priority: Blocker
>      Fix For: 1.0-M4, 1.0-M5
>  Attachments: db_create.sql, geronimo-application.xml, my-changes.patch, test.zip
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK. 
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira