Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0027036 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] C. Security | major | have not tried | 2014-07-09 09:53 | 2014-08-08 18:53 | |||
| Reporter | alostale | View Status | public | |||||
| Assigned To | alostale | |||||||
| Priority | immediate | Resolution | fixed | Fixed in Version | 3.0PR14Q4 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | 9f64b28414de | ||||
| Projection | none | ETA | none | Target Version | 3.0PR14Q4 | |||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Merge Request Status | ||||||||
| Review Assigned To | AugustoMauch | |||||||
| OBNetwork customer | OBPS | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Support ticket | ||||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0027036: 2 roles accessing WS from same browser can temporarily mess up WS access | |||||||
| Description | When accessing web services and ERP at the same time from the same browser, it is possible temporarily mess up user and roles to access web service. | |||||||
| Steps To Reproduce | 1. Set up instance: *Create role A with access to Currency and access to Web Services, assign it to user A as default role *Create role B without access to Web Services 2. Invoke Currency WS (/ws/dal/Currency) as user A -> retrieves data, OK 3. In the same browser log in ERP with user B 4. Log out 5. Invoke Currency WS as role A from a different browser -> It won't retrieve data in the next 30 min | |||||||
| Proposed Solution | The problem is as follows: -WS keep a cache of OBContext associated to userId in order to allow stateless requests -In step 2 a new entry (user A, context for role A) is created in this cache -In step 3 the cache is not modified but the context object referred from it is changed to context for role B -In step 5 value for user A is requested from cache, it returns object pointing now to context for role B, which has no access to ws | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|
 Relationships |
|
Notes |
|
|
(0068566) hgbot (developer) 2014-07-09 10:00 |
Repository: erp/devel/pi Changeset: 9f64b28414de37634b6617f8af82f5416f07084a Author: Asier Lostalé <asier.lostale <at> openbravo.com> Date: Wed Jul 09 09:56:55 2014 +0200 URL: http://code.openbravo.com/erp/devel/pi/rev/9f64b28414de37634b6617f8af82f5416f07084a [^] fixed bug 27036: browser combined ws and erp access can mess up ws roles Before getting the OBContext from cache ensure the user id it was cached for is still the current one. Note this can change in case of accessing from same browser with existent session using different users --- M src/org/openbravo/service/web/UserContextCache.java --- |
|
(0068605) AugustoMauch (administrator) 2014-07-14 10:37 |
Code reviewed and verified in pi@119c05bb76af |
|
(0068665) hgbot (developer) 2014-07-16 13:36 |
Repository: erp/devel/pi Changeset: 32a0d7f3914799ae6f850266e2c523e63ed24e7c Author: Asier Lostalé <asier.lostale <at> openbravo.com> Date: Wed Jul 16 13:36:03 2014 +0200 URL: http://code.openbravo.com/erp/devel/pi/rev/32a0d7f3914799ae6f850266e2c523e63ed24e7c [^] related to bug 27036: added additional debug log --- M src/org/openbravo/service/web/BaseWebServiceServlet.java M src/org/openbravo/service/web/UserContextCache.java --- |
|
(0069147) hudsonbot (viewer) 2014-08-08 18:52 |
A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/4450016dee64 [^] Maturity status: Test |
|
(0069172) hudsonbot (viewer) 2014-08-08 18:53 |
A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/4450016dee64 [^] Maturity status: Test |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2014-07-09 09:53 | alostale | New Issue | |
| 2014-07-09 09:53 | alostale | Assigned To | => alostale |
| 2014-07-09 09:53 | alostale | OBNetwork customer | => No |
| 2014-07-09 09:53 | alostale | Modules | => Core |
| 2014-07-09 09:53 | alostale | Triggers an Emergency Pack | => No |
| 2014-07-09 09:53 | alostale | Review Assigned To | => AugustoMauch |
| 2014-07-09 09:53 | alostale | OBNetwork customer | No => Yes |
| 2014-07-09 10:00 | hgbot | Checkin | |
| 2014-07-09 10:00 | hgbot | Note Added: 0068566 | |
| 2014-07-09 10:00 | hgbot | Status | new => resolved |
| 2014-07-09 10:00 | hgbot | Resolution | open => fixed |
| 2014-07-09 10:00 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/9f64b28414de37634b6617f8af82f5416f07084a [^] |
| 2014-07-14 10:37 | AugustoMauch | Note Added: 0068605 | |
| 2014-07-14 10:37 | AugustoMauch | Status | resolved => closed |
| 2014-07-14 10:37 | AugustoMauch | Fixed in Version | => PR14Q4 |
| 2014-07-16 13:36 | hgbot | Checkin | |
| 2014-07-16 13:36 | hgbot | Note Added: 0068665 | |
| 2014-08-08 18:52 | hudsonbot | Checkin | |
| 2014-08-08 18:52 | hudsonbot | Note Added: 0069147 | |
| 2014-08-08 18:53 | hudsonbot | Checkin | |
| 2014-08-08 18:53 | hudsonbot | Note Added: 0069172 | |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |