[seam-dev] DVD demo example configuration error

[Jay Balunas]

Hey All,

First - The seam examples that are linked off of seamframwork.org's "See 
Seam in Action..." section: where are they hosted?  where can I find 
more information on them (seam version?, persistence config? etc...)?  
and how can we change/update them?

The main reason I ask is because it appears the DVD example is having 
some sort of persistence config issue.  Selecting "Start Shopping" 
throws a JDBC error.  A user reported it, but I thought I remember Pete 
saying that those demos were a little out of date.

Second - The user wanted to send me an email because he thought he saw a 
security issue (see below) where previous users information was 
displayed in one of the text fields.  I asked him to put a jira in and 
that we would look into it.  Does this sound familiar to anyone?

Thanks,
Jay

-------- Original Message --------
Subject: 	Re: Adam R. SeamFramework.org
Date: 	Mon, 25 Feb 2008 10:48:25 -0500
From: 	Jay Balunas <jbalunas at redhat.com>
To: 	A R <adamr_98 at yahoo.com>
References: 	<460081.70615.qm at web50906.mail.re2.yahoo.com>



Hi Adam,

Thanks for providing this information - I will take a look at the example.

But - if you could enter a jira with this information (and any other 
info about it) that would be great. That way this can be tracked and 
commented on.

When you say "other user sessions" do you mean other users that are 
currently logged in, or a user that you had previously been logged in 
as? If it is the latter - Does it appear that you are logged in as the 
user now and can access things as that user?

Thanks,
Jay

A R wrote:
> Adam R.  SeamFramework.org
>
> jbalunas at redhat.com
>
> Hi Jay,
>
> 	The on-line dvd store demo has some database
> configuration issues. 
>
> 	However, an apparent security related issue has been
> observed. 
>
> Nutshell description: The Username text input box in
> the Login panel displays information entered from
> other users’ sessions.
>
> 	I’ve been able to reproduce this observation on
> numerous attempts typically in  less than five (5)
> minutes of “banging” on the application.
>
> 	At first I thought it was just browser caching and
> indeed anybody else will ignore it because they will
> see things like “User1”, “User2” etc. And make the
> assumption that it is the way the app is supposed to
> run because the instructions hint to that behavior.
>
> 	I am able to consistently duplicate a test that
> consists of visiting the site from a connection in San
> Jose California, and entering the Username “sanjose”.
> I’m then able to visit the site from a different
> connection, computer, and browser in Berkeley
> California and see “sanjose” in the Username field.
>
> 	I do not have a recipe for reproducing the result. My
> test consists of miscellaneous “banging” on the
> following few items (in no order):
>
> -Entering Username and then failing the app (Start
> Shopping).
> -Many fast reloads (sometimes around 50).
> -Clicking on the Login and/or Create Account buttons.
> -Multiple tabbed sessions.
>
> 	My personal concern is that, the above
> misconfiguration is not the reason for the security
> violation. It is however exposing an unexpected 
> failure mode that might otherwise be hidden. My
> recommendation is not to fix the configuration issues
> until this failure is understood.
>  
> Let me know if I can provide any additional
> information.
>
> Regards,
> AdamR.
>
> 	
>
>
>