Jetty

JDBCUserRealm cache management causes incorrect 403 (User not in required role) response

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 6.0.1
  • Fix Version/s: 6.1.1
  • Component/s: Security and SSL
  • Labels:
    None
  • Number of attachments :
    0

Description

When JDBCUserRealm clears the realm caches (see JDBCUserRealm.authenticate() ), it clears only the roles cache (_roles from HashUserRealm). Sinces the user principal is still in the users cache (_users from HashUserRealm), the user principal is not reloaded. The subsequent call to isUserInRole() fails because all the role cache is now empty. A 403 response (User not in required role) is sent to the client browser.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Thierry Rouget added a comment -

Forgot to add how to reproduce it easily:

  • in the properties file for the jdbc realm, set the cache time to 0.
  • authenticate with a user
  • close the browser, open a new one and authenticate with the same user

-> you get a 403 complaining about the user roles.

Show
Thierry Rouget added a comment - Forgot to add how to reproduce it easily: in the properties file for the jdbc realm, set the cache time to 0. authenticate with a user close the browser, open a new one and authenticate with the same user -> you get a 403 complaining about the user roles.
Hide
Permalink
Jan Bartel added a comment -

I've checked in a fix for this to svn trunk. I haven't got a setup where I can test this at the moment, would it be possible for you to build from trunk and test? thanks.

Show
Jan Bartel added a comment - I've checked in a fix for this to svn trunk. I haven't got a setup where I can test this at the moment, would it be possible for you to build from trunk and test? thanks.
Hide
Permalink
Jan Bartel added a comment -

Closing this issue, please reopen if there is still a problem.

Show
Jan Bartel added a comment - Closing this issue, please reopen if there is still a problem.

People

  • Assignee:
    Jan Bartel
    Reporter:
    Thierry Rouget
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: