Previous user object in browser take over current user objec

[gawie]

Hi

I’m new with Acegi and experimenting with it. Great product guys.

One thing I’ve noticed is when for instance :
I log in as user1(role = supervisor)
User1 can access the url “…adminpage1.admin”

Now I log off and use the same browser to logon as User2(role = user)
User2 can’t access url “…adminpage1.admin”
But if I enter the url “…adminpage1.admin” it goes to that page and the principal Im printing out at the top of my page jumps to the previose user (User1).

This happens only if I use the same browser for both logins(User1 and User2).

Im Using : Tomcat 5.0.28
IE6
Looks to me this is only the case with IE. Mozilla seems to works fine when I do this.

Cheers
gawie

[Ben Alex]

Could you please post your application context.

[gawie]

Hi Ben

Which one sould I post

applicationContext-acegi-security
applicationContext-common-authorization
applicationContext-common-business

Thanks
Gawie

[Ben Alex]

It's a bit odd. Have you tried using F5/Refresh in Internet Explorer, to ensure you're not looking at the cached copy from the previous version? Would it be possible to look at DEBUG-level logging generated by Acegi Security, so you can see which user it thinks it's seeing. Did you use remember-me authentication on the original request? How are you actually going about logging off? Does the Contacts Sample Application shipped with Acegi Secuirty 0.8.0 show this same behaviour in your Tomcat 5.0.28 and IE6 browser?

Sorry for all the questions, but they'll rule a lot of things in or out. You can find some info on setting up DEBUG-level logging (if required) at http://acegisecurity.sourceforge.net/faq.html.

[gawie]

Hi.

This is what I've noticed while testing the Contacts Sample Application shipped with Acegi Secuirty 0.8.0 and this is the same kind of behaviour my application shows. Here is an example.

With IE6 (Using the same browserwindow for both logins.):

First, I login as marissa.
Then click 'Admin Permission' for John Smith.
Now just copy the URL in the addressbar to notepad or something for later use.
Now click Manage and Logg-off for Marrisa.
Using the same browser click manage again and login as Scott.
Now copy the URL from before into the addressbar and then you see it does show you Administer Permissions for John Smith which it shouldn't.

But now if you click 'Del' or 'Add permission' you'll get the error. Same behaviour as my application.

This also happens when I use two IE browsers and first acces J.Smith through Marrisa's Login and in the other browers Login as Scott and copy the URL to the later browser.


With Mozilla(Using 2 browserwindows)
When I login in one browser and then open another browser it does not give me the option to login. It just uses the userobject of the other browser.


I know in practise this situations wont actually happen. But if I demonstrate Acegi's capabilities on a single PC using 2 different users it doesnot look like its working.

[Ben Alex]

There is a bug in 0.8.0 related to logout handling. This is fixed in 0.8.1. Could I suggest you try it with the new release?

[gawie]

Thanks Ben for the help.

I tried it with 0.8.1 but still I have the same behaviour with the applications.

If you have any more suggestions.

Thanks
Gawie

[Ben Alex]

If we just focus on your IE6 example, I followed it through and could reproduce your issue. However, it is simply due to caching of the http://localhost:8080/acegi-security...tm?contactId=1 response when logging in as scott. If you hit F5/refresh, you'll get:

HTTP Status 403 - Authentication: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken@1a8dfb3: Username: net.sf.acegisecurity.providers.dao.User@1a3aa2c: Username: scott; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1 f68272: RemoteIpAddress: 127.0.0.1; SessionId: E63388AE2C3A3F47FD2272138189899D; Granted Authorities: ROLE_USER has NO permissions at all to the domain object: sample.contact.Contact@ee260b: Id: 1; Name: John Smith; Email: john@somewhere.com

Note the last part of the messagem, "has no permissions at all". Similarly, if you clicked "del" to try and remove marissa's permissions, you'll get the same error.

If you watch the Tomcat console, you'll note I've added DEBUG-level logging to Contacts. This shows when the middle tier is being accessed. As such it's easier to see when things aren't being cached.

[gawie]

I understand now why it does display the page but when you refresh it gives the error.
Also I now realized that my userobject only get mixed up between 2 IE browsers if I open the second browser by pressing ctrl+n(shortcut), which I asume makes a copy of the httpheader. So when I launch both IE seperately everything works fine.

Thanks a lot for your time Ben.

Gawie