Uploaded image for project: 'Geronimo'
  1. Geronimo
  2. GERONIMO-677

Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.0-M4
    • Fix Version/s: 1.0-M4, 1.0-M5
    • Component/s: security
    • Labels:
      None

      Description

      Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/, so only "user"'s can access pages with URL /user/ and only "manager"'s can access pages with URL /manager/*.

      If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.

      Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/, nor /manager/ pages - server redirects to the login page. It is OK.

      But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!

        Attachments

        1. my-changes.patch
          0.6 kB
          Kevan Lee Miller
        2. test.zip
          64 kB
          Ivan Dubrov
        3. db_create.sql
          0.5 kB
          Ivan Dubrov
        4. geronimo-application.xml
          3 kB
          Ivan Dubrov

          Activity

            People

            • Assignee:
              djencks David Jencks
              Reporter:
              wfrag Ivan Dubrov
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: