[CWD-163] Administration Console allows login of unauthorized users

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 1.0.3
Affects Version/s: 0.4.4
Component/s: Core features
Labels:
None
Environment:

Hide

Crowd: 0.4.4 Standalone

JRE:
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode, sharing)

OS: RHES 4 update 4
Linux source-systemsx 2.6.9-42.0.8.EL #1 Tue Jan 23 12:37:31 EST 2007 i686 i686 i386 GNU/Linux

Show
Crowd: 0.4.4 Standalone JRE: java version "1.6.0" Java(TM) SE Runtime Environment (build 1.6.0-b105) Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode, sharing) OS: RHES 4 update 4 Linux source-systemsx 2.6.9-42.0.8.EL #1 Tue Jan 23 12:37:31 EST 2007 i686 i686 i386 GNU/Linux

Bug Fix Policy:
View Atlassian Server bug fix policy

When a valid (but unauthorized) principal (user) of Crowd tries to login to the Administration Console after an (authorized) administrator has been logged in and then logged out on the same computer, this unauthorized principal will be granted access to the Administration Console during some time window (approx. 5 minutes).

Clearing all cookies in the browser when the authorized admin has logged out doesn't help to avoid the problem. Expiring the session in the Administration Console doesn't help either - the login will be successful again when performed within the time window.

Ironically if this unauthorized principal (when being logged in) surfs to Applications - Crowd - Config Test and provides his credentials there, he is (correctly) rejected ("Invalid verification").

is related to

CWD-216 Crowd session token should be unique for each user, directory, machine

Closed

shihab added a comment - 09/Sep/2007 11:45 PM

Yes this bug has been fixed since the implementation of ~~CWD-216~~.

Unfortunately this issue hadn't been closed in JIRA. Closing now.

shihab added a comment - 09/Sep/2007 11:45 PM Yes this bug has been fixed since the implementation of CWD-216 . Unfortunately this issue hadn't been closed in JIRA. Closing now.

Bernd Rinn added a comment - 06/Sep/2007 8:03 PM

I can confirm that the bug is no longer present in version 1.0.3 (which is the version that we are using). So probably this bug is a duplicate of ~~CWD-216~~.

Bernd Rinn added a comment - 06/Sep/2007 8:03 PM I can confirm that the bug is no longer present in version 1.0.3 (which is the version that we are using). So probably this bug is a duplicate of CWD-216 .

kgbvax added a comment - 05/Sep/2007 10:22 PM

May I ask what the status of this is?

kgbvax added a comment - 05/Sep/2007 10:22 PM May I ask what the status of this is?

Justen Stepka [Atlassian] added a comment - 21/Mar/2007 3:42 AM

May be caused by.

Justen Stepka [Atlassian] added a comment - 21/Mar/2007 3:42 AM May be caused by.

Assignee:: shihab

Reporter:: Bernd Rinn

Affected customers:: 1 This affects my team

Watchers:: 1 Start watching this issue

Created:: 17/Feb/2007 8:18 PM

Updated:: 09/Sep/2007 11:46 PM

Resolved:: 09/Sep/2007 11:45 PM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: shihab added a comment - 09/Sep/2007 11:45 PM

Expand comment: shihab added a comment - 09/Sep/2007 11:45 PM

Collapse comment: Bernd Rinn added a comment - 06/Sep/2007 8:03 PM

Expand comment: Bernd Rinn added a comment - 06/Sep/2007 8:03 PM

Collapse comment: kgbvax added a comment - 05/Sep/2007 10:22 PM

Expand comment: kgbvax added a comment - 05/Sep/2007 10:22 PM

Collapse comment: Justen Stepka [Atlassian] added a comment - 21/Mar/2007 3:42 AM

Expand comment: Justen Stepka [Atlassian] added a comment - 21/Mar/2007 3:42 AM

People

Dates