Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Out of Date
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None
    • Environment:

      jboss 4.2.3.

      Description

      Hello !
      I think there is a major security bug in the seamspace example, which will give a user the permissions of the user which has been logged in before.
      To reproduce the scenario:
      1. login as user demo.
      2. click the back button or enter the login page manually in the url of your browser
      3. login as another user.
      the second user will have the admin permissions of the demo user!
      Problem is that the authenticate method will not be invoked if you are already logged in ( even as another user) and the old principal with the assigned permissions will stay in memory.

      Greetings
      D.Croe

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                shane.bryzak Shane Bryzak
                Reporter:
                d.croe David Croe
              • Votes:
                2 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: