Weaver, Scott wrote: >I have noticed in jetspeed(1.3a3) that a user can spoof another user's psml >profile by copying a URL with psml information into the location bar. This >is also possible when not logged in (as anon). > > As Glenn said, this is due to the fact that security for portletsets/psml is not in place. There should not be hardwired restriction here, but a proper security implementation. The version in tag Security_14 does not dehave like this, and the current cvs version will not behave like this in the following days.
>Scenario: > >1. User logs in as User_A. >2. User clicks a tab, then copies the URL: ><http://localhost:8080/jetspeed/portal/user/user_a/page/default.psml/js_pane >/P-ee8a3d53d3-10048> >4. User then logs out as User_A. >5. Now the User (not logged in at all) copies the above url into the >browser. User_A's psml >profile is now available to the Anon user. > >Portlets with security are restricted (good), however, all information that >is not specifically secured is available. IMOHO, there should be no way to >access one user's psml profile from another or by anon. I have patched the >problem and included it below. > >If this problem has already been addressed or if I'm totally off base, >please let me know. > >Thanks, >Scott > >Index: >src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java >=================================================================== >RCS file: >/home/cvspublic/jakarta-jetspeed/src/java/org/apache/jetspeed/modules/action >s/JetspeedAccessController.java,v >retrieving revision 1.4 >diff -u -r1.4 JetspeedAccessController.java >--- >src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java >14 May 2002 17:35:32 -0000 1.4 >+++ >src/java/org/apache/jetspeed/modules/actions/JetspeedAccessController.java >24 Jun 2002 20:42:41 -0000 >@@ -94,6 +94,22 @@ > } > > // get the profile and store it in the RunData >+ >+ // This prevents one user from even seeing another's pane >+ String requestedUser = jdata.getParameters().getString("user","-1"); >+ String sessionUser = jdata.getUser().getUserName(); >+ // Prevent anon from accessing other panes >+ if(sessionUser == null && !requestedUser.equals(" -1")) >+ { >+ jdata.getParameters().remove("user"); >+ } >+ // Prevent one person from accessing another's pane >+ else if(!sessionUser.equalsIgnoreCase(requestedUser)) >+ { >+ jdata.getParameters().remove("user"); >+ jdata.getParameters().add("user",sessionUser); >+ } >+ > Profile newProfile = Profiler.getProfile(jdata); > Profile currentProfile = jdata.getProfile(); > > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
