Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0027036 | Openbravo ERP | C. Security | public | 2014-07-09 09:53 | 2014-08-08 18:53 |
|
| Reporter | alostale | |
| Assigned To | alostale | |
| Priority | immediate | Severity | major | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | | |
| Target Version | 3.0PR14Q4 | Fixed in Version | 3.0PR14Q4 | |
| Merge Request Status | |
| Review Assigned To | AugustoMauch |
| OBNetwork customer | OBPS |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0027036: 2 roles accessing WS from same browser can temporarily mess up WS access |
| Description | When accessing web services and ERP at the same time from the same browser, it is possible temporarily mess up user and roles to access web service. |
| Steps To Reproduce | 1. Set up instance:
*Create role A with access to Currency and access to Web Services, assign it to user A as default role
*Create role B without access to Web Services
2. Invoke Currency WS (/ws/dal/Currency) as user A -> retrieves data, OK
3. In the same browser log in ERP with user B
4. Log out
5. Invoke Currency WS as role A from a different browser -> It won't retrieve data in the next 30 min
|
| Proposed Solution | The problem is as follows:
-WS keep a cache of OBContext associated to userId in order to allow stateless requests
-In step 2 a new entry (user A, context for role A) is created in this cache
-In step 3 the cache is not modified but the context object referred from it is changed to context for role B
-In step 5 value for user A is requested from cache, it returns object pointing now to context for role B, which has no access to ws |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | |
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2014-07-09 09:53 | alostale | New Issue | |
| 2014-07-09 09:53 | alostale | Assigned To | => alostale |
| 2014-07-09 09:53 | alostale | OBNetwork customer | => No |
| 2014-07-09 09:53 | alostale | Modules | => Core |
| 2014-07-09 09:53 | alostale | Triggers an Emergency Pack | => No |
| 2014-07-09 09:53 | alostale | Review Assigned To | => AugustoMauch |
| 2014-07-09 09:53 | alostale | OBNetwork customer | No => Yes |
| 2014-07-09 10:00 | hgbot | Checkin | |
| 2014-07-09 10:00 | hgbot | Note Added: 0068566 | |
| 2014-07-09 10:00 | hgbot | Status | new => resolved |
| 2014-07-09 10:00 | hgbot | Resolution | open => fixed |
| 2014-07-09 10:00 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/9f64b28414de37634b6617f8af82f5416f07084a [^] |
| 2014-07-14 10:37 | AugustoMauch | Note Added: 0068605 | |
| 2014-07-14 10:37 | AugustoMauch | Status | resolved => closed |
| 2014-07-14 10:37 | AugustoMauch | Fixed in Version | => PR14Q4 |
| 2014-07-16 13:36 | hgbot | Checkin | |
| 2014-07-16 13:36 | hgbot | Note Added: 0068665 | |
| 2014-08-08 18:52 | hudsonbot | Checkin | |
| 2014-08-08 18:52 | hudsonbot | Note Added: 0069147 | |
| 2014-08-08 18:53 | hudsonbot | Checkin | |
| 2014-08-08 18:53 | hudsonbot | Note Added: 0069172 | |
|
Notes |
|
|
(0068566)
|
|
hgbot
|
|
2014-07-09 10:00
|
|
Repository: erp/devel/pi
Changeset: 9f64b28414de37634b6617f8af82f5416f07084a
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Wed Jul 09 09:56:55 2014 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/9f64b28414de37634b6617f8af82f5416f07084a [^]
fixed bug 27036: browser combined ws and erp access can mess up ws roles
Before getting the OBContext from cache ensure the user id it was cached for
is still the current one. Note this can change in case of accessing from same
browser with existent session using different users
---
M src/org/openbravo/service/web/UserContextCache.java
---
|
|
|
|
|
|
Code reviewed and verified in pi@119c05bb76af |
|
|
|
(0068665)
|
|
hgbot
|
|
2014-07-16 13:36
|
|
Repository: erp/devel/pi
Changeset: 32a0d7f3914799ae6f850266e2c523e63ed24e7c
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Wed Jul 16 13:36:03 2014 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/32a0d7f3914799ae6f850266e2c523e63ed24e7c [^]
related to bug 27036: added additional debug log
---
M src/org/openbravo/service/web/BaseWebServiceServlet.java
M src/org/openbravo/service/web/UserContextCache.java
---
|
|
|
|
|
|
|
|
|
|