[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3224) RememberMe autologin mode is broken

Wed Aug 27 08:28:38 EDT 2008

    [ https://jira.jboss.org/jira/browse/JBSEAM-3224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12426876#action_12426876 ] 

Shane Bryzak commented on JBSEAM-3224:
--------------------------------------

I've made the changes to RememberMe (and noticed another severe security issue in the meantime which I've fixed also).  Could you please let me know if this fixes things for you in your own application.  Don't worry too much about seamspace, it should probably be observing the org.jboss.seam.security.postAuthenticate event in the AuthenticationEvents component anyway (I'll look at this when I get a chance).

> RememberMe autologin mode is broken
> -----------------------------------
>
>                 Key: JBSEAM-3224
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3224
>             Project: Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.1.0.A1, 2.1.0.BETA1
>         Environment: Ubuntu 8.04, JBoss 4.2.2, JVM 1.6.0_04, Seam 2.1 trunk as of Aug 6th 2008.
>            Reporter: Stefano Travelli
>            Assignee: Shane Bryzak
>         Attachments: RunAsOperation.patch, Test_for_RunAsOperation_(JBSEAM-3224).patch
>
>
> Setting remember-me autologin mode doesn't work.
> To reproduce the problem:
>  - take the Seam Space example and apply the steps described in chapter 15.3.5.1 of the reference documentation.
>  - login with "Remember me" checked
>  - force the autologin mechanism by deleting the JSESSIONID cookie and clicking refresh on the browser.
> The following exception is logged:
> org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[seam.user,read]
> 	at org.jboss.seam.security.Identity.checkPermission(Identity.java:563)
> 	at org.jboss.seam.security.management.IdentityManager.isUserEnabled(IdentityManager.java:127)
> 	at org.jboss.seam.security.RememberMe$1.execute(RememberMe.java:282)
> 	at org.jboss.seam.security.Identity.runAs(Identity.java:711)
> 	at org.jboss.seam.security.RunAsOperation.run(RunAsOperation.java:84)
> 	at org.jboss.seam.security.RememberMe.quietLogin(RememberMe.java:278)
> The problem is originated from what seems to me a typo in RunAsOperation class constructor, where the 'systemOp' flag is never set to true, regardless of the value passed.
>    public RunAsOperation(boolean systemOp)
>    {      
>       this();
>       systemOp = true;
>    }
> It should be:
> this.systemOp = systemOp;

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira