DVD demo example configuration error
by Jay Balunas
Hey All,
First - The seam examples that are linked off of seamframwork.org's "See
Seam in Action..." section: where are they hosted? where can I find
more information on them (seam version?, persistence config? etc...)?
and how can we change/update them?
The main reason I ask is because it appears the DVD example is having
some sort of persistence config issue. Selecting "Start Shopping"
throws a JDBC error. A user reported it, but I thought I remember Pete
saying that those demos were a little out of date.
Second - The user wanted to send me an email because he thought he saw a
security issue (see below) where previous users information was
displayed in one of the text fields. I asked him to put a jira in and
that we would look into it. Does this sound familiar to anyone?
Thanks,
Jay
-------- Original Message --------
Subject: Re: Adam R. SeamFramework.org
Date: Mon, 25 Feb 2008 10:48:25 -0500
From: Jay Balunas <jbalunas(a)redhat.com>
To: A R <adamr_98(a)yahoo.com>
References: <460081.70615.qm(a)web50906.mail.re2.yahoo.com>
Hi Adam,
Thanks for providing this information - I will take a look at the example.
But - if you could enter a jira with this information (and any other
info about it) that would be great. That way this can be tracked and
commented on.
When you say "other user sessions" do you mean other users that are
currently logged in, or a user that you had previously been logged in
as? If it is the latter - Does it appear that you are logged in as the
user now and can access things as that user?
Thanks,
Jay
A R wrote:
> Adam R. SeamFramework.org
>
> jbalunas(a)redhat.com
>
> Hi Jay,
>
> The on-line dvd store demo has some database
> configuration issues.
>
> However, an apparent security related issue has been
> observed.
>
> Nutshell description: The Username text input box in
> the Login panel displays information entered from
> other users’ sessions.
>
> I’ve been able to reproduce this observation on
> numerous attempts typically in less than five (5)
> minutes of “banging” on the application.
>
> At first I thought it was just browser caching and
> indeed anybody else will ignore it because they will
> see things like “User1”, “User2” etc. And make the
> assumption that it is the way the app is supposed to
> run because the instructions hint to that behavior.
>
> I am able to consistently duplicate a test that
> consists of visiting the site from a connection in San
> Jose California, and entering the Username “sanjose”.
> I’m then able to visit the site from a different
> connection, computer, and browser in Berkeley
> California and see “sanjose” in the Username field.
>
> I do not have a recipe for reproducing the result. My
> test consists of miscellaneous “banging” on the
> following few items (in no order):
>
> -Entering Username and then failing the app (Start
> Shopping).
> -Many fast reloads (sometimes around 50).
> -Clicking on the Login and/or Create Account buttons.
> -Multiple tabbed sessions.
>
> My personal concern is that, the above
> misconfiguration is not the reason for the security
> violation. It is however exposing an unexpected
> failure mode that might otherwise be hidden. My
> recommendation is not to fix the configuration issues
> until this failure is understood.
>
> Let me know if I can provide any additional
> information.
>
> Regards,
> AdamR.
>
>
>
>
>
16 years, 1 month
- 5
- 10