[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3972) identity login security bug
Norman Richards (JIRA)
jira-events at lists.jboss.org
Tue Feb 24 12:00:56 EST 2009
[ https://jira.jboss.org/jira/browse/JBSEAM-3972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12454024#action_12454024 ]
Norman Richards commented on JBSEAM-3972:
-----------------------------------------
Are you sure in the second request that the user is being logged in?
> identity login security bug
> ---------------------------
>
> Key: JBSEAM-3972
> URL: https://jira.jboss.org/jira/browse/JBSEAM-3972
> Project: Seam
> Issue Type: Bug
> Components: Security
> Affects Versions: 2.1.1.GA
> Environment: jboss 4.2.3.
> Reporter: David Croe
>
> Hello !
> I think there is a major security bug in the seamspace example, which will give a user the permissions of the user which has been logged in before.
> To reproduce the scenario:
> 1. login as user demo.
> 2. click the back button or enter the login page manually in the url of your browser
> 3. login as another user.
> the second user will have the admin permissions of the demo user!
> Problem is that the authenticate method will not be invoked if you are already logged in ( even as another user) and the old principal with the assigned permissions will stay in memory.
> Greetings
> D.Croe
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list