[GERONIMO-677] Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 1.0-M4
Fix Version/s: 1.0-M4, 1.0-M5
Component/s: security
Labels:
None

Description

Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/, so only "user"'s can access pages with URL /user/ and only "manager"'s can access pages with URL /manager/*.

If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.

Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/, nor /manager/ pages - server redirects to the login page. It is OK.

But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

db_create.sql
07/Jul/05 17:37
0.5 kB
Ivan Dubrov
geronimo-application.xml
07/Jul/05 17:37
3 kB
Ivan Dubrov
test.zip
11/Jul/05 14:06
64 kB
Ivan Dubrov
my-changes.patch
28/Jul/05 13:05
0.6 kB
Kevan Lee Miller

Activity

People

Assignee:: David Jencks

Reporter:: Ivan Dubrov

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 15/Jun/05 15:02

Updated:: 07/Aug/06 15:05

Resolved:: 31/Jul/05 16:56