[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ] Kevan Miller updated GERONIMO-677: -- Attachment: my-changes.patch Repeated login (after session invalidation) with different credentials results in incorrect role set. - Key: GERONIMO-677 URL: http://issues.apache.org/jira/browse/GERONIMO-677 Project: Geronimo Type: Bug Components: security Versions: 1.0-M4 Reporter: Ivan Dubrov Assignee: David Jencks Priority: Critical Fix For: 1.0-M5 Attachments: db_create.sql, geronimo-application.xml, my-changes.patch, test.zip Consider we have two users, user with role user and manager with role manager and two secured areas /user/* and /manager/*, so only user's can access pages with URL /user/* and only manager's can access pages with URL /manager/*. If we log in as user, we can access only /user/* pages, 403 Forbidden if we try to access /manager/* pages. It is OK. Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK. But if we login second time, as a manager, we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles user and manager, but this is impossible combination! -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ] David Jencks updated GERONIMO-677: -- Summary: Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED (was: Repeated login (after session invalidation) with different credentials results in incorrect role set.) Fix Version: 1.0-M4 Priority: Blocker (was: Critical) If Kevins analysis is correct, login modules are being reused. This is a very serious problem that must be fixed for M4. Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED Key: GERONIMO-677 URL: http://issues.apache.org/jira/browse/GERONIMO-677 Project: Geronimo Type: Bug Components: security Versions: 1.0-M4 Reporter: Ivan Dubrov Assignee: David Jencks Priority: Blocker Fix For: 1.0-M4, 1.0-M5 Attachments: db_create.sql, geronimo-application.xml, my-changes.patch, test.zip Consider we have two users, user with role user and manager with role manager and two secured areas /user/* and /manager/*, so only user's can access pages with URL /user/* and only manager's can access pages with URL /manager/*. If we log in as user, we can access only /user/* pages, 403 Forbidden if we try to access /manager/* pages. It is OK. Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK. But if we login second time, as a manager, we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles user and manager, but this is impossible combination! -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ] David Blevins updated GERONIMO-677: --- Fix Version: (was: 1.0-M4) Repeated login (after session invalidation) with different credentials results in incorrect role set. - Key: GERONIMO-677 URL: http://issues.apache.org/jira/browse/GERONIMO-677 Project: Geronimo Type: Bug Components: security Versions: 1.0-M4 Reporter: Ivan Dubrov Assignee: David Jencks Priority: Critical Fix For: 1.0-M5 Attachments: db_create.sql, geronimo-application.xml, test.zip Consider we have two users, user with role user and manager with role manager and two secured areas /user/* and /manager/*, so only user's can access pages with URL /user/* and only manager's can access pages with URL /manager/*. If we log in as user, we can access only /user/* pages, 403 Forbidden if we try to access /manager/* pages. It is OK. Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK. But if we login second time, as a manager, we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles user and manager, but this is impossible combination! -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ] David Jencks updated GERONIMO-677: -- Fix Version: 1.0-M4 1.0-M5 If reproducible this is serious. Repeated login (after session invalidation) with different credentials results in incorrect role set. - Key: GERONIMO-677 URL: http://issues.apache.org/jira/browse/GERONIMO-677 Project: Geronimo Type: Bug Components: security Versions: 1.0-M4 Reporter: Ivan Dubrov Assignee: David Jencks Priority: Critical Fix For: 1.0-M4, 1.0-M5 Attachments: db_create.sql, geronimo-application.xml, test.zip Consider we have two users, user with role user and manager with role manager and two secured areas /user/* and /manager/*, so only user's can access pages with URL /user/* and only manager's can access pages with URL /manager/*. If we log in as user, we can access only /user/* pages, 403 Forbidden if we try to access /manager/* pages. It is OK. Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK. But if we login second time, as a manager, we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles user and manager, but this is impossible combination! -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ] Ivan Dubrov updated GERONIMO-677: - Attachment: test.zip Here is the sample application. Steps to reproduce the behaviour: 1. Open two browsers 2. Access localhost:8080/test/user from first browser, enter credentials user, user. The page with debug information will be displayed. 3. Access localhost:8080/test/manager from second browser, enter credentials manager, manager. The page with debug information will be displayed. Note that is step 3 the debug information will contain both group principals - user and manager. Also the second browser now can access both secured areas - /user and /manager, although it is authenticated as manager. Building: configure build.properties and run ant Deloying: Configure db_create.cmd, run it (it will create two tables, for users and groups, and populate with sample data). Note that Derby distribution is required (Derby tools are not included in the Geronimo assembly). Then deploy test.ear. I have Geronimo snapshot from the 2005/06/30 Repeated login (after session invalidation) with different credentials results in incorrect role set. - Key: GERONIMO-677 URL: http://issues.apache.org/jira/browse/GERONIMO-677 Project: Geronimo Type: Bug Components: security Versions: 1.0-M4 Reporter: Ivan Dubrov Assignee: David Jencks Priority: Critical Attachments: db_create.sql, geronimo-application.xml, test.zip Consider we have two users, user with role user and manager with role manager and two secured areas /user/* and /manager/*, so only user's can access pages with URL /user/* and only manager's can access pages with URL /manager/*. If we log in as user, we can access only /user/* pages, 403 Forbidden if we try to access /manager/* pages. It is OK. Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK. But if we login second time, as a manager, we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles user and manager, but this is impossible combination! -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ] Ivan Dubrov updated GERONIMO-677: - Attachment: geronimo-application.xml db_create.sql Here is the deployment plan for the Geronimo and database schema used in mine application (some names are mangled a bit). Repeated login (after session invalidation) with different credentials results in incorrect role set. - Key: GERONIMO-677 URL: http://issues.apache.org/jira/browse/GERONIMO-677 Project: Geronimo Type: Bug Components: security Versions: 1.0-M4 Reporter: Ivan Dubrov Priority: Critical Attachments: db_create.sql, geronimo-application.xml Consider we have two users, user with role user and manager with role manager and two secured areas /user/* and /manager/*, so only user's can access pages with URL /user/* and only manager's can access pages with URL /manager/*. If we log in as user, we can access only /user/* pages, 403 Forbidden if we try to access /manager/* pages. It is OK. Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK. But if we login second time, as a manager, we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles user and manager, but this is impossible combination! -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-677) Repeated login (after session invalidation) with different credentials results in incorrect role set.
[ http://issues.apache.org/jira/browse/GERONIMO-677?page=all ] Ivan Dubrov updated GERONIMO-677: - Component: security (was: web) Priority: Critical (was: Major) The issue seems more critical than it was! Even loging in second time from second browser (completely separate request) does not help, the second login gets both roles together - user and manager, although it is impossible case. Here is the value of ContextManager.getCurrentCaller() (after the second login, when I log in as a user after logging in as a manager in the other browser) converted to string: Subject: Principal: user Principal: manager Principal: user Principal: SomeRealm:[org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal:user] Principal: SomeRealm:[org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal:manager] Principal: SomeRealm:[org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal:user] Principal: org.apache.geronimo.security.IdentificationPrincipal[[1120652737562:0xb464eb7d6d21b0ab9ba3afbac26621fd58598f54]] The output is done with the following code in mine JSP: % javax.security.auth.Subject caller = org.apache.geronimo.security.ContextManager.getCurrentCaller(); %%=caller% Note that there is two GroupPrincipals - user and manager. It seems that it is incorrectly left after the first log in (although it was done from the separate browser). Repeated login (after session invalidation) with different credentials results in incorrect role set. - Key: GERONIMO-677 URL: http://issues.apache.org/jira/browse/GERONIMO-677 Project: Geronimo Type: Bug Components: security Versions: 1.0-M4 Reporter: Ivan Dubrov Priority: Critical Consider we have two users, user with role user and manager with role manager and two secured areas /user/* and /manager/*, so only user's can access pages with URL /user/* and only manager's can access pages with URL /manager/*. If we log in as user, we can access only /user/* pages, 403 Forbidden if we try to access /manager/* pages. It is OK. Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/*, nor /manager/* pages - server redirects to the login page. It is OK. But if we login second time, as a manager, we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles user and manager, but this is impossible combination! -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira