[jboss-user] [JBoss Seam] - Security flaw in Seam docs, section 12.3.2
waynebagguley
do-not-reply at jboss.com
Wed Apr 4 09:38:18 EDT 2007
I've implemented my authenticator component as per the seam docs (section 12.3.2) and have come across a security flaw that I thought people should know about or maybe point out what I've done wrong.
I have 2 user roles, 'admin' and 'user' and use these to determine which pages to show.
If I login as admin and then go directly to the login page (without logging out) and login as a normal 'user' then I get the 'admin' role as well as the ordinary 'user' role. Clearly the Identity instance is not getting cleared down anywhere, maybe this should be added to the example or have I missed something out?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4034559#4034559
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4034559
More information about the jboss-user
mailing list