1:46 p.m.
identity login security bug
---------------------------
Key: JBSEAM-3972
URL: https://jira.jboss.org/jira/browse/JBSEAM-3972
Project: Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.1.1.GA
Environment: jboss 4.2.3.
Reporter: David Croe
Hello !
I think there is a major security bug in the seamspace example, which will give a user the
permissions of the user which has been logged in before.
To reproduce the scenario:
1. login in as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are allready logged in
( even as another user) and the old principal with the assigned permissions will stay in
memory.
Greetings
D.Croe
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:53 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-3972) identity login security bug
[
https://jira.jboss.org/jira/browse/JBSEAM-3972?page=com.atlassian.jira.pl...
]
David Croe updated JBSEAM-3972:
-------------------------------
Description:
Hello !
I think there is a major security bug in the seamspace example, which will give a user the
permissions of the user which has been logged in before.
To reproduce the scenario:
1. login as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are already logged in (
even as another user) and the old principal with the assigned permissions will stay in
memory.
Greetings
D.Croe
was:
Hello !
I think there is a major security bug in the seamspace example, which will give a user the
permissions of the user which has been logged in before.
To reproduce the scenario:
1. login in as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are allready logged in
( even as another user) and the old principal with the assigned permissions will stay in
memory.
Greetings
D.Croe
identity login security bug
---------------------------
Key: JBSEAM-3972
URL: https://jira.jboss.org/jira/browse/JBSEAM-3972
Project: Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.1.1.GA
Environment: jboss 4.2.3.
Reporter: David Croe
Hello !
I think there is a major security bug in the seamspace example, which will give a user
the permissions of the user which has been logged in before.
To reproduce the scenario:
1. login as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are already logged in
( even as another user) and the old principal with the assigned permissions will stay in
memory.
Greetings
D.Croe
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3972) identity login security bug
[
https://jira.jboss.org/jira/browse/JBSEAM-3972?page=com.atlassian.jira.pl...
]
Norman Richards commented on JBSEAM-3972:
-----------------------------------------
Are you sure in the second request that the user is being logged in?
identity login security bug
---------------------------
Key: JBSEAM-3972
URL: https://jira.jboss.org/jira/browse/JBSEAM-3972
Project: Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.1.1.GA
Environment: jboss 4.2.3.
Reporter: David Croe
Hello !
I think there is a major security bug in the seamspace example, which will give a user
the permissions of the user which has been logged in before.
To reproduce the scenario:
1. login as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are already logged in
( even as another user) and the old principal with the assigned permissions will stay in
memory.
Greetings
D.Croe
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:26 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3972) identity login security bug
[
https://jira.jboss.org/jira/browse/JBSEAM-3972?page=com.atlassian.jira.pl...
]
Shane Bryzak commented on JBSEAM-3972:
--------------------------------------
I can't see how this is possible. The Identity.authenticate() method (which is the
gateway for all authentication) explicitly clears the the principal and subject before
doing any authentication.
public synchronized void authenticate()
throws LoginException
{
// If we're already authenticated, then don't authenticate again
if (!isLoggedIn() && !credentials.isInvalid())
{
principal = null;
subject = new Subject();
authenticate( getLoginContext() );
}
}
identity login security bug
---------------------------
Key: JBSEAM-3972
URL: https://jira.jboss.org/jira/browse/JBSEAM-3972
Project: Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.1.1.GA
Environment: jboss 4.2.3.
Reporter: David Croe
Hello !
I think there is a major security bug in the seamspace example, which will give a user
the permissions of the user which has been logged in before.
To reproduce the scenario:
1. login as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are already logged in
( even as another user) and the old principal with the assigned permissions will stay in
memory.
Greetings
D.Croe
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:11 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3972) identity login security bug
[
https://jira.jboss.org/jira/browse/JBSEAM-3972?page=com.atlassian.jira.pl...
]
Ingo Jobling commented on JBSEAM-3972:
--------------------------------------
The point is that, as the comment states,
// If we're already authenticated, then don't authenticate again.
What is happening in this scenario is that someone returns to the logon screen (without
logging out), the user name and password entered are ignored, and the session continues
under the (already authenticated) user.
Rules in pages.xml to bypass the logon page if already logged on do not cover the case
where the browser back button has been pressed.
I suggest that the logic should be changed to authenticate as requested, not to ignore the
request (or, at the very least, raise an "AlreadyAuthenticated" exception or
event.
identity login security bug
---------------------------
Key: JBSEAM-3972
URL: https://jira.jboss.org/jira/browse/JBSEAM-3972
Project: Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.1.1.GA
Environment: jboss 4.2.3.
Reporter: David Croe
Hello !
I think there is a major security bug in the seamspace example, which will give a user
the permissions of the user which has been logged in before.
To reproduce the scenario:
1. login as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are already logged in
( even as another user) and the old principal with the assigned permissions will stay in
memory.
Greetings
D.Croe
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:08 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Assigned: (JBSEAM-3972) identity login security bug
[
https://jira.jboss.org/jira/browse/JBSEAM-3972?page=com.atlassian.jira.pl...
]
Shane Bryzak reassigned JBSEAM-3972:
------------------------------------
Assignee: Shane Bryzak
identity login security bug
---------------------------
Key: JBSEAM-3972
URL: https://jira.jboss.org/jira/browse/JBSEAM-3972
Project: Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.1.1.GA
Environment: jboss 4.2.3.
Reporter: David Croe
Assignee: Shane Bryzak
Hello !
I think there is a major security bug in the seamspace example, which will give a user
the permissions of the user which has been logged in before.
To reproduce the scenario:
1. login as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are already logged in
( even as another user) and the old principal with the assigned permissions will stay in
memory.
Greetings
D.Croe
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:32 p.m.
New subject: [JBoss JIRA] Moved: (SEAMSECURITY-7) identity login security bug
[
https://jira.jboss.org/jira/browse/SEAMSECURITY-7?page=com.atlassian.jira...
]
Shane Bryzak moved JBSEAM-3972 to SEAMSECURITY-7:
-------------------------------------------------
Project: Seam Security (was: Seam)
Key: SEAMSECURITY-7 (was: JBSEAM-3972)
Component/s: (was: Security)
Affects Version/s: (was: 2.1.1.GA)
identity login security bug
---------------------------
Key: SEAMSECURITY-7
URL: https://jira.jboss.org/jira/browse/SEAMSECURITY-7
Project: Seam Security
Issue Type: Bug
Environment: jboss 4.2.3.
Reporter: David Croe
Assignee: Shane Bryzak
Hello !
I think there is a major security bug in the seamspace example, which will give a user
the permissions of the user which has been logged in before.
To reproduce the scenario:
1. login as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are already logged in
( even as another user) and the old principal with the assigned permissions will stay in
memory.
Greetings
D.Croe
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:38 p.m.
New subject: [JBoss JIRA] Updated: (SEAMSECURITY-7) identity login security bug
[
https://jira.jboss.org/jira/browse/SEAMSECURITY-7?page=com.atlassian.jira...
]
Shane Bryzak updated SEAMSECURITY-7:
------------------------------------
Fix Version/s: 3.0.0.Beta1
identity login security bug
---------------------------
Key: SEAMSECURITY-7
URL: https://jira.jboss.org/jira/browse/SEAMSECURITY-7
Project: Seam Security
Issue Type: Bug
Environment: jboss 4.2.3.
Reporter: David Croe
Assignee: Shane Bryzak
Fix For: 3.0.0.Beta1
Hello !
I think there is a major security bug in the seamspace example, which will give a user
the permissions of the user which has been logged in before.
To reproduce the scenario:
1. login as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are already logged in
( even as another user) and the old principal with the assigned permissions will stay in
memory.
Greetings
D.Croe
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:09 a.m.
New subject: [JBoss JIRA] Updated: (SEAMSECURITY-7) identity login security bug
[
https://issues.jboss.org/browse/SEAMSECURITY-7?page=com.atlassian.jira.pl...
]
Shane Bryzak updated SEAMSECURITY-7:
------------------------------------
Fix Version/s: (was: 3.0.0.Beta1)
identity login security bug
---------------------------
Key: SEAMSECURITY-7
URL: https://issues.jboss.org/browse/SEAMSECURITY-7
Project: Seam Security
Issue Type: Bug
Environment: jboss 4.2.3.
Reporter: David Croe
Assignee: Shane Bryzak
Hello !
I think there is a major security bug in the seamspace example, which will give a user
the permissions of the user which has been logged in before.
To reproduce the scenario:
1. login as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are already logged in
( even as another user) and the old principal with the assigned permissions will stay in
memory.
Greetings
D.Croe
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:09 a.m.
New subject: [JBoss JIRA] Resolved: (SEAMSECURITY-7) identity login security bug
[
https://issues.jboss.org/browse/SEAMSECURITY-7?page=com.atlassian.jira.pl...
]
Shane Bryzak resolved SEAMSECURITY-7.
-------------------------------------
Resolution: Out of Date
identity login security bug
---------------------------
Key: SEAMSECURITY-7
URL: https://issues.jboss.org/browse/SEAMSECURITY-7
Project: Seam Security
Issue Type: Bug
Environment: jboss 4.2.3.
Reporter: David Croe
Assignee: Shane Bryzak
Hello !
I think there is a major security bug in the seamspace example, which will give a user
the permissions of the user which has been logged in before.
To reproduce the scenario:
1. login as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are already logged in
( even as another user) and the old principal with the assigned permissions will stay in
memory.
Greetings
D.Croe
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
5064
days inactive
5792
days old
9 comments
4 participants
participants (4)
-
David Croe (JIRA) -
Ingo Jobling (JIRA)
-
Norman Richards (JIRA)
-
Shane Bryzak (JIRA)