[jboss-jira] [JBoss JIRA] (AS7-6489) Ensure JBoss 7.2.0-Alpha1 mgmt user session invalidated if user doesn't exist
Darran Lofthouse (JIRA)
jira-events at lists.jboss.org
Fri Feb 8 17:21:51 EST 2013
[ https://issues.jboss.org/browse/AS7-6489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12753125#comment-12753125 ]
Darran Lofthouse commented on AS7-6489:
---------------------------------------
Ok the problem that you are experiencing is that the web browser has not been shut down so remembers the username and password previously entered, on starting the new installation of JBoss to the web browser this looks to be the same server as you are connecting to it on the same address - for this reason the web browser is able to respond to the challenge from the server and the user is successfully authentication.
For the actual HTTP requests there is actually no session - for each request authentication tokens are exchanged and validated for that request.
However shortly I will be switching to some tasks to move the authentication from the web browser into the actual GWT console, this will eliminate the web browser caching of credentials.
At this stage the scenario described is being caused by the web browser so I am going to close this issue - however this will be changed within tasks we already have scheduled.
> Ensure JBoss 7.2.0-Alpha1 mgmt user session invalidated if user doesn't exist
> -----------------------------------------------------------------------------
>
> Key: AS7-6489
> URL: https://issues.jboss.org/browse/AS7-6489
> Project: Application Server 7
> Issue Type: Feature Request
> Components: Domain Management
> Affects Versions: 7.2.0.Alpha1
> Environment: Ubuntu 12.04.2 LTS, java version "1.7.0_06"
> Java(TM) SE Runtime Environment (build 1.7.0_06-b24)
> Java HotSpot(TM) 64-Bit Server VM (build 23.2-b09, mixed mode), built JBoss 7.2.0.Alpha1-SNAPSHOT (code current from this morning EST- 2013-02-08 13:54 UTC)
> Reporter: Gary Weaver
> Assignee: Darran Lofthouse
> Priority: Minor
>
> Had browser open much earlier today and logged into old JBoss 7.1.1.FINAL JBoss management console. Built/setup JBoss 7.2.0-Alpha1 from github jbossas/jboss-as master up-to-date as of earlier this morning. Started server and was no management user so it showed the page indicating that I could not login because there was no user. Added user and refreshed page and I was logged-in. I could be imagining things, but it might be good to check that current session is invalidated in management session if the user doesn't exist. (Also, there is no command to remove a user while the server is up that I can see; if there were, I'd try removing the user, hitting the page to validate I couldn't get in, and then hit it again to try to confirm; but, if no one has complained about the lack of remove-user, then I guess it isn't required.)
> Thanks!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list