Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0027036
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] C. Securitymajorhave not tried2014-07-09 09:532014-08-08 18:53
ReporteralostaleView Statuspublic 
Assigned Toalostale 
PriorityimmediateResolutionfixedFixed in Version3.0PR14Q4
StatusclosedFix in branchFixed in SCM revision9f64b28414de
ProjectionnoneETAnoneTarget Version3.0PR14Q4
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned ToAugustoMauch
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0027036: 2 roles accessing WS from same browser can temporarily mess up WS access

DescriptionWhen accessing web services and ERP at the same time from the same browser, it is possible temporarily mess up user and roles to access web service.
Steps To Reproduce1. Set up instance:
  *Create role A with access to Currency and access to Web Services, assign it to user A as default role
  *Create role B without access to Web Services
2. Invoke Currency WS (/ws/dal/Currency) as user A -> retrieves data, OK
3. In the same browser log in ERP with user B
4. Log out
5. Invoke Currency WS as role A from a different browser -> It won't retrieve data in the next 30 min
Proposed SolutionThe problem is as follows:
-WS keep a cache of OBContext associated to userId in order to allow stateless requests
-In step 2 a new entry (user A, context for role A) is created in this cache
-In step 3 the cache is not modified but the context object referred from it is changed to context for role B
-In step 5 value for user A is requested from cache, it returns object pointing now to context for role B, which has no access to ws
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0068566)
hgbot (developer)
2014-07-09 10:00

Repository: erp/devel/pi
Changeset: 9f64b28414de37634b6617f8af82f5416f07084a
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Wed Jul 09 09:56:55 2014 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/9f64b28414de37634b6617f8af82f5416f07084a [^]

fixed bug 27036: browser combined ws and erp access can mess up ws roles

  Before getting the OBContext from cache ensure the user id it was cached for
  is still the current one. Note this can change in case of accessing from same
  browser with existent session using different users

---
M src/org/openbravo/service/web/UserContextCache.java
---
(0068605)
AugustoMauch (developer)
2014-07-14 10:37

Code reviewed and verified in pi@119c05bb76af
(0068665)
hgbot (developer)
2014-07-16 13:36

Repository: erp/devel/pi
Changeset: 32a0d7f3914799ae6f850266e2c523e63ed24e7c
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Wed Jul 16 13:36:03 2014 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/32a0d7f3914799ae6f850266e2c523e63ed24e7c [^]

related to bug 27036: added additional debug log

---
M src/org/openbravo/service/web/BaseWebServiceServlet.java
M src/org/openbravo/service/web/UserContextCache.java
---
(0069147)
hudsonbot (developer)
2014-08-08 18:52

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/4450016dee64 [^]
Maturity status: Test
(0069172)
hudsonbot (developer)
2014-08-08 18:53

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/4450016dee64 [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2014-07-09 09:53 alostale New Issue
2014-07-09 09:53 alostale Assigned To => alostale
2014-07-09 09:53 alostale Modules => Core
2014-07-09 09:53 alostale Triggers an Emergency Pack => No
2014-07-09 09:53 alostale Review Assigned To => AugustoMauch
2014-07-09 10:00 hgbot Checkin
2014-07-09 10:00 hgbot Note Added: 0068566
2014-07-09 10:00 hgbot Status new => resolved
2014-07-09 10:00 hgbot Resolution open => fixed
2014-07-09 10:00 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/9f64b28414de37634b6617f8af82f5416f07084a [^]
2014-07-14 10:37 AugustoMauch Note Added: 0068605
2014-07-14 10:37 AugustoMauch Status resolved => closed
2014-07-14 10:37 AugustoMauch Fixed in Version => PR14Q4
2014-07-16 13:36 hgbot Checkin
2014-07-16 13:36 hgbot Note Added: 0068665
2014-08-08 18:52 hudsonbot Checkin
2014-08-08 18:52 hudsonbot Note Added: 0069147
2014-08-08 18:53 hudsonbot Checkin
2014-08-08 18:53 hudsonbot Note Added: 0069172


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker