-
1. Re: Strange sittuation regarding security
hcgpragt Mar 1, 2009 2:49 PM (in response to catalinmarcu)Just a hunch:
Maybe the Identity object has gotten an application scope?
Or is it defined as a static?
In those cases it would / could already have a value when you start authenticating (again) by pressing the back button.
And most of the time you start by checking if a user is already logged on.Hugo
-
2. Re: Strange sittuation regarding security
joblini Mar 2, 2009 3:15 AM (in response to catalinmarcu)This is a serious problem.
2.0.3.CR1 is a pre-production release. The first step would be to test with a stable release, either 2.0.2.SP1 or, preferably, 2.1.1.GA.
The security framework has undergone major changes between 2.0.2 and 2.1.1.
-
3. Re: Strange sittuation regarding security
joblini Mar 2, 2009 3:17 AM (in response to catalinmarcu)PS As Hugo Pragt indicates in his reply, this could be caused by a programming error.
-
4. Re: Strange sittuation regarding security
catalinmarcu Mar 2, 2009 1:01 PM (in response to catalinmarcu)Hi guys,
Thanks a lot for your answers.
The Identity object not static, actually it has the @In annotation with no scope declared.
Also, I've tried to update the framework to 2.1.1 but I have some incompatibility problems and I'm trying to solve them now.
Keep you in touch.Thanks again,
Catalin -
5. Re: Strange sittuation regarding security
catalinmarcu Mar 2, 2009 8:13 PM (in response to catalinmarcu)Guys,
I've noticed after I press the browser back button (step 3 from above), get back to the login page, typing the credentials and hit the login button, the Authenticator.authenticate method is not called!!! Is this normal? This method is called only when I previously use logout link which invokes Identity.instance().logout() method.
I think this is the source of my problem. Any suggestion?
Thanks in advance,
Catalin -
6. Re: Strange sittuation regarding security
swd847 Mar 2, 2009 10:13 PM (in response to catalinmarcu)Your going to have to post your code, we probably compnents.xml, the authenticator bean and probably the backing bean for the customer view that is being displayed incorrectly.
-
7. Re: Strange sittuation regarding security
catalinmarcu Mar 3, 2009 12:11 AM (in response to catalinmarcu)Hi all,
I've updated the seam framework used in our application from 2.0.3.CR1 to 2.1.1.GA and my problem dissapear! In the log files I noticed that if the user press browser back button after authentication and tries to login again, seam knows that the user is already logged in.
Still one minor problem left: some customers have 2 or more username/password pairs. If such a customer makes an order with one username then try to login with the second username going back to login page using browser back button, after a succesful login he will get the homepage associated with the first username because seam does not make another authentication knowing the first username was not logged out. Yes, I know it's a stupid thing but customers DON'T USE LOGOUT button...
Thanks a lot for your help,
Catalin