7 Replies Latest reply on Mar 3, 2009 12:11 AM by catalinmarcu

    Strange sittuation regarding security

    catalinmarcu
    catalinmarcu Mar 1, 2009 2:40 AM

      Hi there,


      We've built a web application using Seam, JSF and JEE. We used seam security for the security part of this application. One of our customers reported that after he logged in using his credentials the home page obtained is not his homepage but other's customer homepage. This seamed strange to me at first time and I tended to not belive the customer because I could not reproduce this error. After a while, another customer reported the same problem and this time I knew there is a real problem. So, after some researches I manage to reproduce the error using 2 different computers (with 2 different IPs) trying to map a real sittuation of 2 different customers. Lets suppose Customer A is one client and Customer B is another having different credentials. I'm trying to explayn bellow what is happening:



      1. Client A successfully login being forwarded to HIS home page of the application

      2. After the successfully login of customer A, Customer B login successfully using his credentials and is forwarded to HIS home page of the application (until now, everything is OK)

      3. Customer A press the back button of his browser to go back to the login page and enter again his credentials

      4. Customer A is forwarded to the homepage of customer B!!!



      This sittuation appears only when the back button is used as described above.


      Anyone knows a solution for this problem?


      Thanks in advance,
      Catalin


      PS: Seam version used: 2.0.3.CR1, JSF 1.2, glassfish V2 U2


      • 123 Views
      • Tags:
        • 1. Re: Strange sittuation regarding security
          hcgpragt
          hcgpragt Mar 1, 2009 2:49 PM (in response to catalinmarcu)

          Just a hunch:

          Maybe the Identity object has gotten an application scope?
          Or is it defined as a static?
          In those cases it would / could already have a value when you start authenticating (again) by pressing the back button.
          And most of the time you start by checking if a user is already logged on.


          Hugo

            • Actions
          • 2. Re: Strange sittuation regarding security
            joblini
            joblini Mar 2, 2009 3:15 AM (in response to catalinmarcu)

            This is a serious problem.


            2.0.3.CR1 is a pre-production release.  The first step would be to test with a stable release, either 2.0.2.SP1 or, preferably, 2.1.1.GA.


            The security framework has undergone major changes between 2.0.2 and 2.1.1.

              • Actions
            • 3. Re: Strange sittuation regarding security
              joblini
              joblini Mar 2, 2009 3:17 AM (in response to catalinmarcu)

              PS As Hugo Pragt indicates in his reply, this could be caused by a programming error.

                • Actions
              • 4. Re: Strange sittuation regarding security
                catalinmarcu
                catalinmarcu Mar 2, 2009 1:01 PM (in response to catalinmarcu)

                Hi guys,


                Thanks a lot for your answers.
                The Identity object not static, actually it has the @In annotation with no scope declared.
                Also, I've tried to update the framework to 2.1.1 but I have some incompatibility problems and I'm trying to solve them now.
                Keep you in touch.


                Thanks again,
                Catalin

                  • Actions
                • 5. Re: Strange sittuation regarding security
                  catalinmarcu
                  catalinmarcu Mar 2, 2009 8:13 PM (in response to catalinmarcu)

                  Guys,


                  I've noticed after I press the browser back button (step 3 from above), get back to the login page, typing the credentials and hit the login button, the Authenticator.authenticate method is not called!!! Is this normal? This method is called only when I previously use logout link which invokes Identity.instance().logout() method.


                  I think this is the source of my problem. Any suggestion?


                  Thanks in advance,
                  Catalin

                    • Actions
                  • 6. Re: Strange sittuation regarding security
                    swd847
                    swd847 Mar 2, 2009 10:13 PM (in response to catalinmarcu)

                    Your going to have to post your code, we probably compnents.xml, the authenticator bean and probably the backing bean for the customer view that is being displayed incorrectly.

                      • Actions
                    • 7. Re: Strange sittuation regarding security
                      catalinmarcu
                      catalinmarcu Mar 3, 2009 12:11 AM (in response to catalinmarcu)

                      Hi all,


                      I've updated the seam framework used in our application from 2.0.3.CR1 to 2.1.1.GA and my problem dissapear! In the log files I noticed that if the user press browser back button after authentication and tries to login again, seam knows that the user is already logged in.


                      Still one minor problem left: some customers have 2 or more username/password pairs. If such a customer makes an order with one username then try to login with the second username going back to login page using browser back button, after a succesful login he  will get the homepage associated with the first username because seam does not make another authentication knowing the first username was not logged out. Yes, I know it's a stupid thing but customers DON'T USE LOGOUT button...


                      Thanks a lot for your help,
                      Catalin


                        • Actions