[seam-issues] [JBoss JIRA] Moved: (SEAMSECURITY-7) identity login security bug
Shane Bryzak (JIRA)
jira-events at lists.jboss.org
Wed Apr 14 06:32:25 EDT 2010
[ https://jira.jboss.org/jira/browse/SEAMSECURITY-7?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shane Bryzak moved JBSEAM-3972 to SEAMSECURITY-7:
-------------------------------------------------
Project: Seam Security (was: Seam)
Key: SEAMSECURITY-7 (was: JBSEAM-3972)
Component/s: (was: Security)
Affects Version/s: (was: 2.1.1.GA)
> identity login security bug
> ---------------------------
>
> Key: SEAMSECURITY-7
> URL: https://jira.jboss.org/jira/browse/SEAMSECURITY-7
> Project: Seam Security
> Issue Type: Bug
> Environment: jboss 4.2.3.
> Reporter: David Croe
> Assignee: Shane Bryzak
>
> Hello !
> I think there is a major security bug in the seamspace example, which will give a user the permissions of the user which has been logged in before.
> To reproduce the scenario:
> 1. login as user demo.
> 2. click the back button or enter the login page manually in the url of your browser
> 3. login as another user.
> the second user will have the admin permissions of the demo user!
> Problem is that the authenticate method will not be invoked if you are already logged in ( even as another user) and the old principal with the assigned permissions will stay in memory.
> Greetings
> D.Croe
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list