Security flaw in Seam docs, section 12.3.2

waynebagguley Apr 4, 2007 9:38 AM

I've implemented my authenticator component as per the seam docs (section 12.3.2) and have come across a security flaw that I thought people should know about or maybe point out what I've done wrong.

I have 2 user roles, 'admin' and 'user' and use these to determine which pages to show.

If I login as admin and then go directly to the login page (without logging out) and login as a normal 'user' then I get the 'admin' role as well as the ordinary 'user' role. Clearly the Identity instance is not getting cleared down anywhere, maybe this should be added to the example or have I missed something out?

1. Re: Security flaw in Seam docs, section 12.3.2

shane.bryzak Apr 4, 2007 9:58 AM (in response to waynebagguley)

You're right, the roles weren't being removed from the subject. I've fixed this in CVS.
Actions
2. Re: Security flaw in Seam docs, section 12.3.2

waynebagguley Apr 4, 2007 10:21 AM (in response to waynebagguley)

How do I remove all the roles in one go?
Actions
3. Re: Security flaw in Seam docs, section 12.3.2

shane.bryzak Apr 4, 2007 10:27 AM (in response to waynebagguley)
You have direct access to the subject via Identity.getSubject(), if you want to remove all the roles simply iterate through the principals in the subject until you find the "Roles" group. Here's an example:

for ( Group sg : Identity.instance().getSubject().getPrincipals(Group.class) ) { if ( Identity.ROLES_GROUP.equals( sg.getName() ) ) { Identity.instance().getSubject().getPrincipals().remove(sg); break; } }
Actions

Go to original post