[jira] Commented: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.

Ivan Dubrov (JIRA) Wed, 06 Jul 2005 23:48:27 -0700

    [ 
http://issues.apache.org/jira/browse/GERONIMO-677?page=comments#action_12315215 
]


Ivan Dubrov commented on GERONIMO-677:
--------------------------------------

>I'm not very clear on how sessions work, but I don't think invalidating a 
>session logs you out. Please let me know if I am wrong. 

AFAIR, it should, but in this case it does not matter. I've tried to login from 
completely separate browsers IE and FireFox, so they don't have any shared 
state (cookies, etc) - the same problem. The second login gets group principal 
of previous login (made from separate browser).

>It looks to me as if you might have the user "user" assigned to the groups 
>"user" and "manager".

Later I'll attach my configuration, but the disproof is very simple. If I login 
as a regular user after server restart, I will get only two principals - 
GeronimoGroupPrincipal("user") and GeronimoUserPrincipal("someusername"). I get 
two group principals only after second login (e.g, login as a regular user 
first, then as a manager, or vice-versa).

> Repeated login (after session invalidation) with different credentials 
> results in incorrect role set.
> -----------------------------------------------------------------------------------------------------
>
>          Key: GERONIMO-677
>          URL: http://issues.apache.org/jira/browse/GERONIMO-677
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M4
>     Reporter: Ivan Dubrov
>     Priority: Critical

>
> Consider we have two users, "user" with role "user" and "manager" with role 
> "manager" and two secured areas /user/* and /manager/*, so only "user"'s can 
> access pages with URL /user/* and only "manager"'s can access pages with URL 
> /manager/*.
> If we log in as "user", we can access only /user/* pages, "403 Forbidden" if 
> we try to access /manager/* pages. It is OK. 
> Now, if we clean the session (request.getSession().invalidate()), we will be 
> logged out, so we cannot access nor /user/*, nor /manager/* pages - server 
> redirects to the login page. It is OK.
> But if we login second time, as a "manager", we can access both page sets - 
> /user/* and /manager/*! It means that authenticated user owns both roles 
> "user" and "manager", but this is impossible combination!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Commented: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.

Reply via email to