[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3972) identity login security bug

Norman Richards (JIRA) jira-events at lists.jboss.org
Tue Feb 24 12:00:56 EST 2009

    [ https://jira.jboss.org/jira/browse/JBSEAM-3972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12454024#action_12454024 ] 

Norman Richards commented on JBSEAM-3972:

Are you sure in the second request that the user is being logged in?   

> identity login security bug
> ---------------------------
>                 Key: JBSEAM-3972
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3972
>             Project: Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.1.1.GA
>         Environment: jboss 4.2.3. 
>            Reporter: David Croe
> Hello !
> I think there is a major security bug in the seamspace example, which will give a user the permissions of the user which has been logged in before.
> To reproduce the scenario:
> 1. login as user demo.
> 2. click the back button or enter the login page manually in the url of your browser
> 3. login as another user.
> the second user will have the admin permissions of the demo user!
> Problem is that the authenticate method will not be invoked if you are already logged in ( even as another user) and the old principal with the assigned permissions will stay in memory.
> Greetings
>  D.Croe

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the seam-issues mailing list