[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3972) identity login security bug

Ingo Jobling (JIRA) jira-events at lists.jboss.org
Tue Feb 24 23:11:54 EST 2009 

    [ https://jira.jboss.org/jira/browse/JBSEAM-3972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12454140#action_12454140 ] 

Ingo Jobling commented on JBSEAM-3972:
--------------------------------------

The point is that, as the comment states,  

// If we're already authenticated, then don't authenticate again.

What is happening in this scenario is that someone returns to the logon screen (without logging out), the user name and password entered are ignored, and the session continues under the (already authenticated) user.  

Rules in pages.xml to bypass the logon page if already logged on do not cover the case where the browser back button has been pressed.

I suggest that the logic should be changed to authenticate as requested, not to ignore the request (or, at the very least, raise an "AlreadyAuthenticated" exception or event.
 


  

> identity login security bug
> ---------------------------
>
>                 Key: JBSEAM-3972
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-3972
>             Project: Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.1.1.GA
>         Environment: jboss 4.2.3. 
>            Reporter: David Croe
>
> Hello !
> I think there is a major security bug in the seamspace example, which will give a user the permissions of the user which has been logged in before.
> To reproduce the scenario:
> 1. login as user demo.
> 2. click the back button or enter the login page manually in the url of your browser
> 3. login as another user.
> the second user will have the admin permissions of the demo user!
> Problem is that the authenticate method will not be invoked if you are already logged in ( even as another user) and the old principal with the assigned permissions will stay in memory.
> Greetings
>  D.Croe

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list