[jboss-jira] [JBoss JIRA] Created: (JBPORTAL-1538) Permissions Caching When Session Abandoned

Fri Jul 6 12:18:53 EDT 2007

Permissions Caching When Session Abandoned
------------------------------------------

                 Key: JBPORTAL-1538
                 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1538
             Project: JBoss Portal
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Portal Security
    Affects Versions: 2.4.1 SP1
         Environment: RHEL 5 Workstation
FireFox 1.5.0.1.2
            Reporter: Mike Millson
         Assigned To: Julien Viet

Starting with an out-of-box portal deployment:
1) Log in as admin
2) Create a role TestRole
3) Create a user TestUser
4) Assign TestRole to TestUser
5) Create a page TestPage and secure it with TestRole
6) Log out
7) Log in as TestUser. You will see the TestPage tab
8) Abandon the TestUser session by closing the browser or deleting the TestUser session cookie
9) Log in as admin
10) Remove TestRole from TestUser
11) Log out
12) Type in the url to the portal (don't use login screen presented after #11 logout)
13) Log in as TestUser
14) The TestPage tab is displayed, even though TestUser no longer has permission to access it.

The TestPage tab does not disappear until I log out and re-login as TestUser.

I don't think this is a 2nd level cache or query cache issue, as I disabled both and could still reproduce this.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira