                <div>

                    Thanks Anil.

                </div>

                <div><div><br></div><div><br></div><div><div>--&nbsp;</div><div>"The measure of a man is what he does with power" - Plato</div><div>-</div><div>@abstractj</div><div>-</div><div>Volenti Nihil Difficile</div></div></div>

                <p style="color: #A0A0A8;">On Thursday, January 31, 2013 at 1:07 PM, Anil Saldhana wrote:</p>

                <blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">

                    <span><div><div>

    <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">

    <div>Ok. We throw an exception now if there

      is a second login() call on an already authenticated session.<br>

      <br>

      On 01/31/2013 07:25 AM, Bruno Oliveira wrote:<br>

    </div><blockquote type="cite"><div>

      <div wrap="true" graphical-quote="true" style="font-family: -moz-fixed; font-size: 12px;" lang="x-western">

        <pre wrap="">Exactly! That's my point!  

Thanks Marek.  

<div>--  

"The measure of a man is what he does with power" - Plato

-

@abstractj

-

Volenti Nihil Difficile

On Thursday, January 31, 2013 at 8:40 AM, Marek Posolda wrote:

</div></pre><blockquote type="cite"><div>

          <pre wrap=""><span>&gt; </span>In Servlet 3.0 specification, method HttpServletRequest.login(username,  

<span>&gt; </span>password) stated in javadoc that it throws exception if someone is  

<span>&gt; </span>trying to login on already authenticated session. Javadoc looks like this:

<span>&gt; </span>

<span>&gt; </span>* @exception ServletException if the configured login mechanism

<span>&gt; </span>* does not support username

<span>&gt; </span>* password authentication, or  

<span>&gt; </span>if a

<span>&gt; </span>* non-null caller identity had

<span>&gt; </span>* already been established  

<span>&gt; </span>(prior

<span>&gt; </span>* to the call to login), or if

<span>&gt; </span>* validation of the provided

&gt; * username and password fails.

<span>&gt; </span>

<span>&gt; </span>Indeed throwing exception seems to me like best approach in this case. I  

<span>&gt; </span>think that if someone wants to login again with different credentials,  

<span>&gt; </span>he should first logout before second login. So usecase could be like:

<span>&gt; </span>

<span>&gt; </span>credential.setCredential(x);

<span>&gt; </span>identity.login();

<span>&gt; </span>// Do something with identity 'x'

<span>&gt; </span>identity.logout();

<span>&gt; </span>

<span>&gt; </span>credential.setCredential(y);

<span>&gt; </span>identity.login();

<span>&gt; </span>// Do something with identity 'y'

<span>&gt; </span>

<span>&gt; </span>

<span>&gt; </span>

<span>&gt; </span>Marek

<span>&gt; </span>

<span>&gt; </span>On 31/01/13 01:58, Jess Sightler wrote:

</pre><blockquote type="cite"><div>

<pre wrap="">&gt; &gt; I see no reason why someone would call login again on an already authenticated session. I believe that Seam 2.x used to catch this and throw an exception (though I could be misremembering). Personally, I would prefer an exception over silently ignoring the call or an option such as the one below.

<span>&gt; &gt; </span>

&gt; &gt; Unless there is a valid reason to call .login again?

<span>&gt; &gt; </span>

<span>&gt; &gt; </span>----- Original Message -----

</pre><blockquote type="cite"><div>

              <pre wrap=""><span>&gt; &gt; &gt; </span>From: "Anil Saldhana" <a moz-do-not-send="true" href="mailto:Anil.Saldhana@redhat.com%28mailto:Anil.Saldhana@redhat.com%29">&lt;Anil.Saldhana@redhat.com (mailto:Anil.Saldhana@redhat.com)&gt;</a>

<span>&gt; &gt; &gt; </span>To: <a moz-do-not-send="true" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a> (<a moz-do-not-send="true" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>)

<span>&gt; &gt; &gt; </span>Sent: Wednesday, January 30, 2013 7:31:33 PM

<span>&gt; &gt; &gt; </span>Subject: Re: [security-dev] PLINK-84 - Login can be bypassed with any user after a first successful login

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>Actually, I do not see a problem in customizing the behavior of

<span>&gt; &gt; &gt; </span>repeated login() method calls:

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>something like:

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>identity.setOption(Option.LOGIN_REPEAT);

<span>&gt; &gt; &gt; </span>credential.setCredential(x);

<span>&gt; &gt; &gt; </span>identity.login();

<span>&gt; &gt; &gt; </span>credential.setCredential(y);

<span>&gt; &gt; &gt; </span>identity.login();

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>If the option is set, then the second call of login() will

<span>&gt; &gt; &gt; </span>authenticate again.

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>By default, we want to maintain the session behavior. But if Aerogear

<span>&gt; &gt; &gt; </span>wants repeated login() logic, they should be able to set it in the

<span>&gt; &gt; &gt; </span>option?

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>Feedback?

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>On 01/30/2013 11:47 AM, Bruno Oliveira wrote:

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>I still don't agree with it, we're giving the benefit of the doubt to

<span>&gt; &gt; &gt; </span>developers. If I have a method which is invoked twice for example

<span>&gt; &gt; &gt; </span>via HTTP request with the following code:

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

</pre><blockquote type="cite"><div><blockquote type="cite"><div>

                  <pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; </span>credential.setCredential(x); &gt; &gt; identity.login(); &gt; Login should

<span>&gt; &gt; &gt; &gt; &gt; </span>be validate it again, but if you think that is not a problem,

<span>&gt; &gt; &gt; &gt; &gt; </span>I'm fine.

<span>&gt; &gt; &gt; &gt; &gt; </span>

</pre>

                </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; </span>

</pre>

              </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>Anil, could you please provide the final solution for it? Examples of

<span>&gt; &gt; &gt; </span>usage?

<span>&gt; &gt; &gt; </span>--

<span>&gt; &gt; &gt; </span>"The measure of a man is what he does with power" - Plato

<span>&gt; &gt; &gt; </span>-

<span>&gt; &gt; &gt; </span>@abstractj

<span>&gt; &gt; &gt; </span>-

<span>&gt; &gt; &gt; </span>Volenti Nihil Difficile

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>On Wednesday, January 30, 2013 at 1:40 PM, Anil Saldhana wrote:

<span>&gt; &gt; &gt; </span>

</pre><blockquote type="cite"><div>

                <pre wrap=""><span>&gt; &gt; &gt; &gt; </span>On 01/30/2013 09:33 AM, Bruno Oliveira wrote:

</pre><blockquote type="cite"><div>

                  <pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; </span>So if I'm a bank where the user account is logged in, this user

<span>&gt; &gt; &gt; &gt; &gt; </span>has just forgot to 'logout'. Another person using his computer

&gt; &gt; &gt; &gt; &gt; can just bypass the login, because the session still exists?

<span>&gt; &gt; &gt; &gt; &gt; </span>Banks get over this by frequently being proactive using

<span>&gt; &gt; &gt; &gt; &gt; </span>Javascript. If the user has been idle for a minute, they give

<span>&gt; &gt; &gt; &gt; &gt; </span>out a warning and if there is no response, they log out the

<span>&gt; &gt; &gt; &gt; &gt; </span>user. &gt; &gt;

<span>&gt; &gt; &gt; &gt; &gt; </span>Another scenario, I'm at the same network of John, running my

<span>&gt; &gt; &gt; &gt; &gt; </span>whatever-sniffer, then is just a matter of grab the current

<span>&gt; &gt; &gt; &gt; &gt; </span>session ID and login? Am I wrong? Because If understood

<span>&gt; &gt; &gt; &gt; &gt; </span>correctly, after user login, even if I invoke this method for a

<span>&gt; &gt; &gt; &gt; &gt; </span>second time, what really matters is the session ID. https/ssl

<span>&gt; &gt; &gt; &gt; &gt; </span>should be mandatory for all critical web applications. Just have

<span>&gt; &gt; &gt; &gt; &gt; </span>a HTTP Header agent installed for your browser. Your passwords

<span>&gt; &gt; &gt; &gt; &gt; </span>are in the clear in the http header agent if you do not use

<span>&gt; &gt; &gt; &gt; &gt; </span>https. &gt;

<span>&gt; &gt; &gt; &gt; &gt; </span>I'm confused. &gt; &gt; -- "The measure of a man is what he does with

<span>&gt; &gt; &gt; &gt; &gt; </span>power" - Plato - @abstractj - Volenti Nihil Difficile On

<span>&gt; &gt; &gt; &gt; &gt; </span>Wednesday, January 30, 2013 at 1:17 PM, Anil Saldhana wrote: &gt; &gt;

<span>&gt; &gt; &gt; &gt; &gt; </span>

</pre>

                </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; &gt; </span>

</pre>

              </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

</pre><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite"><div>

                      <pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>On 01/29/2013 08:08 PM, Douglas Campos wrote:

</pre>

                    </div></blockquote></blockquote></blockquote></blockquote><pre wrap=""><span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

</pre><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div>

                          <pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>On Tue, Jan 29, 2013 at 05:19:23PM -0600, Anil Saldhana

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>wrote:

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                        </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                      </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                    </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                  </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; </span>

</pre>

                </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; </span>

</pre>

              </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

</pre><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div>

                              <pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>Shane, &gt; &gt; &gt; this is not a bug rather a feature

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>request. &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt;

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                            </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                          </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                        </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                      </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                    </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                  </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; </span>

</pre>

                </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; </span>

</pre>

              </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

</pre><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div>

                                  <pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>it's a bug &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; Aerogear has the

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>following sequence: &gt; &gt; &gt; &gt; &gt; &gt;

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>credential.setCredential(x); &gt; &gt; &gt;

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>identity.login(); &gt; &gt; &gt;

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>credential.setCredential(y); &gt; &gt; &gt;

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>identity.login(); &gt; &gt; &gt; &gt; &gt; &gt; Aerogear wants

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>PicketLink to reauthenticate during the second

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>login() &gt; &gt; &gt; call. Currently &gt; &gt; &gt; it will not

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>because the first login() established a User

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>instance and &gt; &gt; &gt; subsequent login() &gt; &gt; &gt;

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>calls will just bypass the auth process. &gt; &gt; &gt; &gt;

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                                </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                              </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                            </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                          </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                        </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                      </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                    </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                  </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; </span>

</pre>

                </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; </span>

</pre>

              </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

</pre><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div>

                                  <pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>If my API doesn't do the login process on the

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>login() call, am I not &gt; &gt; failing with the

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>"least surprise principle"? If it doesn't do all

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>the &gt; &gt; login procedure when called, better

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>rename it then: mayLogin(), &gt; &gt;

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>loginWithCaching() or anything like this. &gt; &gt; &gt;

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                                </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                              </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                            </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                          </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                        </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                      </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                    </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                  </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; </span>

</pre>

                </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; </span>

</pre>

              </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

</pre><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div>

                          <pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>Your usage: &gt; &gt; User user = null; &gt; AuthenticationResult

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>result = identity.login(); &gt; if(result ==

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>AuthenticationResult.SUCCESS){ &gt; user =

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>identity.getUser(); &gt; } else { &gt; throw new

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>RuntimeException("Authentication Failed"); &gt; } &gt; &gt; //Now

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>identity has an user &gt; //Irrespective of what you want

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>to put in credential, you are &gt; authenticated already

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>until you logout &gt; result = identity.login(); &gt; //result

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>is always SUCCESS. &gt;

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                        </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                      </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                    </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                  </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; </span>

</pre>

                </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; </span>

</pre>

              </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

</pre><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div><blockquote type="cite"><div>

                              <pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>IMO, this is not only wrong, but I think it can be

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>used as a potential &gt; &gt; attack vector. &gt; &gt; &gt; &gt; &gt; &gt; &gt;

<span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                            </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                          </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                        </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                      </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                    </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; </span>

</pre>

                  </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; </span>

</pre>

                </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; &gt; </span>

</pre>

              </div></blockquote><pre wrap=""><span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

</pre><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite"><div>

                          <pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>How?

</pre>

                        </div></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><pre wrap=""><span>&gt; &gt; &gt; </span>

<span>&gt; &gt; &gt; </span>

</pre><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color: #C0C0C0;"><blockquote type="cite" style="color:

                            #C0C0C0;"><blockquote type="cite"><div>

                              <pre wrap=""><span>&gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; </span>-- qmx &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt; &gt;

 </pre>

                            </div></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></div></blockquote></div></blockquote></div></blockquote></div>

    </div></blockquote></div><div><div>_______________________________________________</div><div>security-dev mailing list</div><div><a href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a></div><div><a href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a></div></div></div></span>

                </blockquote>

                <div>

                    <br>

                </div>