Jetty
  1. Jetty
  2. JETTY-131

JDBCUserRealm cache management causes incorrect 403 (User not in required role) response

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.1
    • Fix Version/s: 6.1.1
    • Component/s: Security and SSL
    • Labels:
      None
    • Number of attachments :
      0

      Description

      When JDBCUserRealm clears the realm caches (see JDBCUserRealm.authenticate() ), it clears only the roles cache (_roles from HashUserRealm). Sinces the user principal is still in the users cache (_users from HashUserRealm), the user principal is not reloaded. The subsequent call to isUserInRole() fails because all the role cache is now empty. A 403 response (User not in required role) is sent to the client browser.

        Activity

        Hide
        Thierry Rouget added a comment -

        Forgot to add how to reproduce it easily:

        • in the properties file for the jdbc realm, set the cache time to 0.
        • authenticate with a user
        • close the browser, open a new one and authenticate with the same user

        -> you get a 403 complaining about the user roles.

        Show
        Thierry Rouget added a comment - Forgot to add how to reproduce it easily: in the properties file for the jdbc realm, set the cache time to 0. authenticate with a user close the browser, open a new one and authenticate with the same user -> you get a 403 complaining about the user roles.
        Hide
        Jan Bartel added a comment -

        I've checked in a fix for this to svn trunk. I haven't got a setup where I can test this at the moment, would it be possible for you to build from trunk and test? thanks.

        Show
        Jan Bartel added a comment - I've checked in a fix for this to svn trunk. I haven't got a setup where I can test this at the moment, would it be possible for you to build from trunk and test? thanks.
        Hide
        Jan Bartel added a comment -

        Closing this issue, please reopen if there is still a problem.

        Show
        Jan Bartel added a comment - Closing this issue, please reopen if there is still a problem.

          People

          • Assignee:
            Jan Bartel
            Reporter:
            Thierry Rouget
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: