You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Ivan Dubrov (JIRA)" <de...@geronimo.apache.org> on 2005/06/15 08:10:51 UTC
[jira] Created: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Repeated login (after session invalidation) with different credentials results in incorrect role set.
-----------------------------------------------------------------------------------------------------
Key: GERONIMO-677
URL: http://issues.apache.org/jira/browse/GERONIMO-677
Project: Geronimo
Type: Bug
Components: web
Versions: 1.0-M4
Reporter: Ivan Dubrov
Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=comments#action_12315212 ]
David Jencks commented on GERONIMO-677:
---------------------------------------
I'm not very clear on how sessions work, but I don't think invalidating a session logs you out. Please let me know if I am wrong.
To analyze the Subject contents we would need to know your security configuration: both the login configuration and user >> principal assignments and your application security configuration with the principal >> role mapping. It looks to me as if you might have the user "user" assigned to the groups "user" and "manager".
> Repeated login (after session invalidation) with different credentials results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Priority: Critical
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Posted by "David Blevins (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]
David Blevins updated GERONIMO-677:
-----------------------------------
Fix Version: (was: 1.0-M4)
> Repeated login (after session invalidation) with different credentials results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Assignee: David Jencks
> Priority: Critical
> Fix For: 1.0-M5
> Attachments: db_create.sql, geronimo-application.xml, test.zip
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=comments#action_12317030 ]
David Jencks commented on GERONIMO-677:
---------------------------------------
Login modules were indeed being reused. I think it is fixed in M4:
Sending modules/security/src/java/org/apache/geronimo/security/jaas/JaasLoginModuleConfiguration.java
Sending modules/security/src/java/org/apache/geronimo/security/jaas/JaasLoginService.java
Sending modules/security/src/java/org/apache/geronimo/security/jaas/JaasSecurityContext.java
Sending modules/security/src/test/org/apache/geronimo/security/jaas/MultipleLoginDomainTest.java
Transmitting file data ....
Committed revision 225726.
> Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Assignee: David Jencks
> Priority: Blocker
> Fix For: 1.0-M4, 1.0-M5
> Attachments: db_create.sql, geronimo-application.xml, my-changes.patch, test.zip
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=comments#action_12317099 ]
David Jencks commented on GERONIMO-677:
---------------------------------------
Added a simple test, refurbished MultipleLoginDomains test
M4:
Sending modules/security/src/test/org/apache/geronimo/security/jaas/MultipleLoginDomainTest.java
Adding modules/security/src/test/org/apache/geronimo/security/jaas/NoLoginModuleReuseTest.java
Transmitting file data ..
Committed revision 225798.
M5:
Sending modules/security/src/test/org/apache/geronimo/security/jaas/MultipleLoginDomainTest.java
Adding modules/security/src/test/org/apache/geronimo/security/jaas/NoLoginModuleReuseTest.java
Transmitting file data ..
Committed revision 225801.
> Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Assignee: David Jencks
> Priority: Blocker
> Fix For: 1.0-M4, 1.0-M5
> Attachments: db_create.sql, geronimo-application.xml, my-changes.patch, test.zip
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]
David Jencks updated GERONIMO-677:
----------------------------------
Fix Version: 1.0-M4
1.0-M5
If reproducible this is serious.
> Repeated login (after session invalidation) with different credentials results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Assignee: David Jencks
> Priority: Critical
> Fix For: 1.0-M4, 1.0-M5
> Attachments: db_create.sql, geronimo-application.xml, test.zip
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Assigned: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]
David Jencks reassigned GERONIMO-677:
-------------------------------------
Assign To: David Jencks
> Repeated login (after session invalidation) with different credentials results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Assignee: David Jencks
> Priority: Critical
> Attachments: db_create.sql, geronimo-application.xml
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Posted by "Ivan Dubrov (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=comments#action_12315215 ]
Ivan Dubrov commented on GERONIMO-677:
--------------------------------------
>I'm not very clear on how sessions work, but I don't think invalidating a session logs you out. Please let me know if I am wrong.
AFAIR, it should, but in this case it does not matter. I've tried to login from completely separate browsers IE and FireFox, so they don't have any shared state (cookies, etc) - the same problem. The second login gets group principal of previous login (made from separate browser).
>It looks to me as if you might have the user "user" assigned to the groups "user" and "manager".
Later I'll attach my configuration, but the disproof is very simple. If I login as a regular user after server restart, I will get only two principals - GeronimoGroupPrincipal("user") and GeronimoUserPrincipal("someusername"). I get two group principals only after second login (e.g, login as a regular user first, then as a manager, or vice-versa).
> Repeated login (after session invalidation) with different credentials results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Priority: Critical
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Posted by "Ivan Dubrov (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]
Ivan Dubrov updated GERONIMO-677:
---------------------------------
Component: security
(was: web)
Priority: Critical (was: Major)
The issue seems more critical than it was!
Even loging in second time from second browser (completely separate request) does not help, the second login gets both roles together - "user" and "manager", although it is impossible case.
Here is the value of ContextManager.getCurrentCaller() (after the second login, when I log in as a user after logging in as a manager in the other browser) converted to string:
Subject:
Principal: user
Principal: manager
Principal: user
Principal: SomeRealm:[org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal:user]
Principal: SomeRealm:[org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal:manager]
Principal: SomeRealm:[org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal:user]
Principal: org.apache.geronimo.security.IdentificationPrincipal[[1120652737562:0xb464eb7d6d21b0ab9ba3afbac26621fd58598f54]]
The output is done with the following code in mine JSP:
<%
javax.security.auth.Subject caller = org.apache.geronimo.security.ContextManager.getCurrentCaller();
%><%=caller%>
Note that there is two GroupPrincipals - "user" and "manager". It seems that it is incorrectly left after the first log in (although it was done from the separate browser).
> Repeated login (after session invalidation) with different credentials results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Priority: Critical
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]
David Jencks updated GERONIMO-677:
----------------------------------
Summary: Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED (was: Repeated login (after session invalidation) with different credentials results in incorrect role set.)
Fix Version: 1.0-M4
Priority: Blocker (was: Critical)
If Kevins analysis is correct, login modules are being reused. This is a very serious problem that must be fixed for M4.
> Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Assignee: David Jencks
> Priority: Blocker
> Fix For: 1.0-M4, 1.0-M5
> Attachments: db_create.sql, geronimo-application.xml, my-changes.patch, test.zip
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=comments#action_12317033 ]
David Jencks commented on GERONIMO-677:
---------------------------------------
applied to M5:
Sending modules/security/src/java/org/apache/geronimo/security/jaas/JaasLoginModuleConfiguration.java
Sending modules/security/src/java/org/apache/geronimo/security/jaas/JaasLoginService.java
Sending modules/security/src/java/org/apache/geronimo/security/jaas/JaasSecurityContext.java
Sending modules/security/src/test/org/apache/geronimo/security/jaas/MultipleLoginDomainTest.java
Transmitting file data ....
Committed revision 225728.
I'd appreciate it if Ivan (at least) could verify that this issue is fixed. Thanks again for discovering it!!
> Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Assignee: David Jencks
> Priority: Blocker
> Fix For: 1.0-M4, 1.0-M5
> Attachments: db_create.sql, geronimo-application.xml, my-changes.patch, test.zip
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Posted by "Ivan Dubrov (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]
Ivan Dubrov updated GERONIMO-677:
---------------------------------
Attachment: test.zip
Here is the sample application. Steps to reproduce the behaviour:
1. Open two browsers
2. Access localhost:8080/test/user from first browser, enter credentials "user", "user". The page with debug information will be displayed.
3. Access localhost:8080/test/manager from second browser, enter credentials "manager", "manager". The page with debug information will be displayed.
Note that is step 3 the debug information will contain both group principals - "user" and "manager". Also the second browser now can access both secured areas - /user and /manager, although it is authenticated as "manager".
Building: configure build.properties and run "ant"
Deloying: Configure db_create.cmd, run it (it will create two tables, for users and groups, and populate with sample data). Note that Derby distribution is required (Derby tools are not included in the Geronimo assembly). Then deploy test.ear.
I have Geronimo snapshot from the 2005/06/30
> Repeated login (after session invalidation) with different credentials results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Assignee: David Jencks
> Priority: Critical
> Attachments: db_create.sql, geronimo-application.xml, test.zip
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Posted by "Ivan Dubrov (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]
Ivan Dubrov updated GERONIMO-677:
---------------------------------
Attachment: geronimo-application.xml
db_create.sql
Here is the deployment plan for the Geronimo and database schema used in mine application (some names are mangled a bit).
> Repeated login (after session invalidation) with different credentials results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Priority: Critical
> Attachments: db_create.sql, geronimo-application.xml
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=comments#action_12315425 ]
David Jencks commented on GERONIMO-677:
---------------------------------------
So far I haven't been able to reproduce this using the properties login module and a simple jsp page that prints the principals. I wonder if you could try using the properties login module instead of sql login module, and whether you could supply the entire app that demonstrates this problem.
> Repeated login (after session invalidation) with different credentials results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Assignee: David Jencks
> Priority: Critical
> Attachments: db_create.sql, geronimo-application.xml
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Posted by "Kevan Miller (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=comments#action_12317015 ]
Kevan Miller commented on GERONIMO-677:
---------------------------------------
The problem lies in org.apache.geronimo.security.realm.providers.SQLLoginModule (that's why David wasn't able to reproduce using Properties File-based login.
SQLLoginModule.login() adds GroupPrincipals to a "groups" HashSet. The GroupPrincipals from "groups" are then retrieved from the HashSet during commit() processing and added to the Subject. The problem is that "groups" is never reset between logins. So, any new login will get all preceding GroupPrincipals for this LoginModule instance... 8-{
In Ivan's example, "user" logs in and the user principal is added to "groups". This user principal is added to the Subject during commit() processing. When "manager" logs in, the manager principal is added to "groups". When commit() is called both the "user" and "manager" principals are added to the Subject...
The following changes to SQLLoginModule would seem to address the problem:
Index: src/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java
===================================================================
--- src/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java (revision 225640)
+++ src/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java (working copy)
@@ -170,12 +170,15 @@
principals.add(iter.next());
}
+ groups.clear();
+
return true;
}
public boolean abort() throws LoginException {
cbUsername = null;
cbPassword = null;
+ groups.clear();
return true;
}
Note that this is simply addressing the problem at hand. I'm not familiar with JAAS. So, it's possible that I don't fully grok (e.g. perhaps the same LoginModule shouldn't be invoked for these separate logins, or groups should be cleared at some other time, etc.). Also, I'm not at all convinced that SQLLoginModule is behaving properly wrt logout(). I'm certain that it's not very efficient (e.g. iterating over all users during login()). Ah, I see this inefficiency is listed as a "Future Change" in the Security section of the Wiki (http://wiki.apache.org/geronimo/Security)
> Repeated login (after session invalidation) with different credentials results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Assignee: David Jencks
> Priority: Critical
> Fix For: 1.0-M5
> Attachments: db_create.sql, geronimo-application.xml, my-changes.patch, test.zip
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
Posted by "Kevan Miller (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ]
Kevan Miller updated GERONIMO-677:
----------------------------------
Attachment: my-changes.patch
> Repeated login (after session invalidation) with different credentials results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
> Key: GERONIMO-677
> URL: http://issues.apache.org/jira/browse/GERONIMO-677
> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M4
> Reporter: Ivan Dubrov
> Assignee: David Jencks
> Priority: Critical
> Fix For: 1.0-M5
> Attachments: db_create.sql, geronimo-application.xml, my-changes.patch, test.zip
>
> Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/*, so only "user"'s can access pages with URL /user/* and only "manager"'s can access pages with URL /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.
> Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira