[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3972) identity login security bug

David Croe (JIRA) jira-events at lists.jboss.org
Tue Feb 24 07:46:44 EST 2009

identity login security bug

                 Key: JBSEAM-3972
                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3972
             Project: Seam
          Issue Type: Bug
          Components: Security
    Affects Versions: 2.1.1.GA
         Environment: jboss 4.2.3. 
            Reporter: David Croe

Hello !
I think there is a major security bug in the seamspace example, which will give a user the permissions of the user which has been logged in before.
To reproduce the scenario:
1. login in as user demo.
2. click the back button or enter the login page manually in the url of your browser
3. login as another user.
the second user will have the admin permissions of the demo user!
Problem is that the authenticate method will not be invoked if you are allready logged in ( even as another user) and the old principal with the assigned permissions will stay in memory.


This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the seam-issues mailing list