[seam-issues] [JBoss JIRA] Updated: (SEAMSECURITY-7) identity login security bug
Shane Bryzak (JIRA)
jira-events at lists.jboss.org
Wed Apr 14 06:38:25 EDT 2010
[ https://jira.jboss.org/jira/browse/SEAMSECURITY-7?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shane Bryzak updated SEAMSECURITY-7:
------------------------------------
Fix Version/s: 3.0.0.Beta1
> identity login security bug
> ---------------------------
>
> Key: SEAMSECURITY-7
> URL: https://jira.jboss.org/jira/browse/SEAMSECURITY-7
> Project: Seam Security
> Issue Type: Bug
> Environment: jboss 4.2.3.
> Reporter: David Croe
> Assignee: Shane Bryzak
> Fix For: 3.0.0.Beta1
>
>
> Hello !
> I think there is a major security bug in the seamspace example, which will give a user the permissions of the user which has been logged in before.
> To reproduce the scenario:
> 1. login as user demo.
> 2. click the back button or enter the login page manually in the url of your browser
> 3. login as another user.
> the second user will have the admin permissions of the demo user!
> Problem is that the authenticate method will not be invoked if you are already logged in ( even as another user) and the old principal with the assigned permissions will stay in memory.
> Greetings
> D.Croe
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list