Hey All,
First - The seam examples that are linked off of seamframwork.org's "See
Seam in Action..." section: where are they hosted? where can I find
more information on them (seam version?, persistence config? etc...)?
and how can we change/update them?
The main reason I ask is because it appears the DVD example is having
some sort of persistence config issue. Selecting "Start Shopping"
throws a JDBC error. A user reported it, but I thought I remember Pete
saying that those demos were a little out of date.
Second - The user wanted to send me an email because he thought he saw a
security issue (see below) where previous users information was
displayed in one of the text fields. I asked him to put a jira in and
that we would look into it. Does this sound familiar to anyone?
Thanks,
Jay
-------- Original Message --------
Subject: Re: Adam R.
SeamFramework.org
Date: Mon, 25 Feb 2008 10:48:25 -0500
From: Jay Balunas <jbalunas(a)redhat.com>
To: A R <adamr_98(a)yahoo.com>
References: <460081.70615.qm(a)web50906.mail.re2.yahoo.com>
Hi Adam,
Thanks for providing this information - I will take a look at the example.
But - if you could enter a jira with this information (and any other
info about it) that would be great. That way this can be tracked and
commented on.
When you say "other user sessions" do you mean other users that are
currently logged in, or a user that you had previously been logged in
as? If it is the latter - Does it appear that you are logged in as the
user now and can access things as that user?
Thanks,
Jay
A R wrote:
Adam R.
SeamFramework.org
jbalunas(a)redhat.com
Hi Jay,
The on-line dvd store demo has some database
configuration issues.
However, an apparent security related issue has been
observed.
Nutshell description: The Username text input box in
the Login panel displays information entered from
other users’ sessions.
I’ve been able to reproduce this observation on
numerous attempts typically in less than five (5)
minutes of “banging” on the application.
At first I thought it was just browser caching and
indeed anybody else will ignore it because they will
see things like “User1”, “User2” etc. And make the
assumption that it is the way the app is supposed to
run because the instructions hint to that behavior.
I am able to consistently duplicate a test that
consists of visiting the site from a connection in San
Jose California, and entering the Username “sanjose”.
I’m then able to visit the site from a different
connection, computer, and browser in Berkeley
California and see “sanjose” in the Username field.
I do not have a recipe for reproducing the result. My
test consists of miscellaneous “banging” on the
following few items (in no order):
-Entering Username and then failing the app (Start
Shopping).
-Many fast reloads (sometimes around 50).
-Clicking on the Login and/or Create Account buttons.
-Multiple tabbed sessions.
My personal concern is that, the above
misconfiguration is not the reason for the security
violation. It is however exposing an unexpected
failure mode that might otherwise be hidden. My
recommendation is not to fix the configuration issues
until this failure is understood.
Let me know if I can provide any additional
information.
Regards,
AdamR.