Hi All,
while working on XX-7673 - I found the following security issue:
1. log in user 200 / PIN 1234
2. log out user 200
3. log in superadmin, change PIN for user 200 to 1111
4. log in again with user 200 / PIN 1234 - this works even the PIN was changed
in the previous step.
Another scenario is to delete user 200 at step 3 - step 4 will result in a UI
crash with hibernate exception.
This problem is due to configured acegi user cache that keeps user details in
memory for 2 minutes (when step 4 is executed the user details are not fetched
from the database but are retrieved from user cache).
I can see 2 ways to solve this:
- use a null user cache - that's it, no cache to be kept
- register a dao listener that removes users from cache when a user is deleted
/ saved
Personally I vote for the 2nd one since the cache might be useful
Please share your thoughts,
Thanks,
George
_______________________________________________
sipx-dev mailing list [email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
sipXecs IP PBX -- http://www.sipfoundry.org/
