DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8830>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8830 Hole in Role based PSML/Security Summary: Hole in Role based PSML/Security Product: Jetspeed Version: 1.3a3-dev / CVS Platform: All OS/Version: All Status: NEW Severity: Major Priority: Other Component: Security AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] We are using Role based security and role based PSML and have found that user's can access unauthorized roles by specifying the role as a query parameter like this: http://servername/webappname/portal?Role=rolename Apparently the jetspeed security subsystem is looking for an HTTP post parameter named "Role" and if the parameter's value is a valid PSML role, it will display that role's portlets to the user. Even if that user does not have permission to that role via TURBINE_USER_GROUP_ROLE. This is a major security problem for us as we are using role based security and role based PSML to partition functional access. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
