0 Replies Latest reply on Jun 20, 2002 6:53 AM by pedrow

    Unauthorized user can takeover principals from objects in po

    pedrow

      Hi,

      The issue is that if I have authorized user that calls some object and this object is created with this users principals, other not authorized user can obtain this
      object from pool with authorized users principals.

      I runned in to this when I was doing some unit tests.
      My junitee test class doesn't support authorization and
      if I run it before I run authorized client it tells me that my user is not in role. But if I run this authorized
      user for few times and it creates some pool of objects
      then later this junitee class can access my secure bean without any problems. This two client applications are running in separate tomcat containers and one has basic authentication and the other one doesn't have any.

      I don't think this should be like this. In my opinion
      container should check each users roles before it takes
      object from pool.

      Does any of you have some experience with this case?

      p.