[Using Sakai] [Building Sakai] user login reverts to admin user
David Horwitz
david.horwitz at uct.ac.za
Mon Aug 20 06:52:20 PDT 2012
FYI The security advisor:
https://source.sakaiproject.org/release/kernel/1.3.0-b01/apidocs/org/sakaiproject/authz/api/SecurityAdvisor.html
To set the advisor:
//we need a security advisor
SecurityAdvisor secAdvice = new SecurityAdvisor() {
public SecurityAdvice isAllowed(String userId, String
function, String reference) {
log.debug("isAllowed( " + userId + ", " + function
+ ", " + reference);
if
(UserDirectoryService.SECURE_UPDATE_USER_ANY.equals(function)) {
return SecurityAdvice.ALLOWED;
} else if
(AuthzGroupService.SECURE_UPDATE_AUTHZ_GROUP.equals(function)){
return SecurityAdvice.ALLOWED;
} else if
(UserDirectoryService.SECURE_REMOVE_USER.equals(function)) {
log.debug("advising user can delete users");
return SecurityAdvice.ALLOWED;
} else {
return SecurityAdvice.NOT_ALLOWED;
}
}
};
securityService.pushAdvisor(secAdvice);
and to clear it:
SecurityAdvisor sa = securityService.popAdvisor();
D
On 08/20/2012 03:40 PM, David Wafula wrote:
> That should explain it...we did some session calls somewhere...in the
> code. Will correct it.
>
> On Mon, Aug 20, 2012 at 3:38 PM, David Horwitz
> <david.horwitz at uct.ac.za <mailto:david.horwitz at uct.ac.za>> wrote:
>
> This sounds like somewhere something is setting the current
> session user to admin. I would look at any code you run in the
> login for something like:
>
> Session sakaiSession = sessionManager.getCurrentSession();
> sakaiSession.setUserId("admin");
> sakaiSession.setUserEid("admin");
>
> Code like this should not be called in any user thread,
> SecurityAdvisors are a better bet ....
>
> D
>
>
>
> On 08/20/2012 03:21 PM, Fatima Rahiman wrote:
>>
>> Hi All
>>
>> We’ve been experiencing a no. of random though isolated
>> incidences of users unsuccessfully logging into Sakai( with their
>> correct details ) but with their browser window immediately
>> returning a screen which shows SAKAI admin user rights i.e they
>> somehow manage to log into SAKAI as an admin! Obviously this
>> poses a huge security breach for us. Has anyone else ever
>> experienced this?
>>
>> This communication is intended for the addressee only. It is
>> confidential. If you have received this communication in error,
>> please notify us immediately and destroy the original message.
>> You may not copy or disseminate this communication without the
>> permission of the University. Only authorized signatories are
>> competent to enter into agreements on behalf of the University
>> and recipients are thus advised that the content of this message
>> may not be legally binding on the University and may contain the
>> personal views and opinions of the author, which are not
>> necessarily the views and opinions of The University of the
>> Witwatersrand, Johannesburg. All agreements between the
>> University and outsiders are subject to South African Law unless
>> the University agrees in writing to the contrary.
>>
>>
>>
>>
>>
>> _______________________________________________
>> sakai-user mailing list
>> sakai-user at collab.sakaiproject.org <mailto:sakai-user at collab.sakaiproject.org>
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>>
>> TO UNSUBSCRIBE: send email tosakai-user-unsubscribe at collab.sakaiproject.org <mailto:sakai-user-unsubscribe at collab.sakaiproject.org> with a subject of "unsubscribe"
>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> <mailto:sakai-dev at collab.sakaiproject.org>
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org
> <mailto:sakai-dev-unsubscribe at collab.sakaiproject.org> with a
> subject of "unsubscribe"
>
>
>
>
> --
> David Wafula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-user/attachments/20120820/123d1707/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 15902 bytes
Desc: not available
Url : http://collab.sakaiproject.org/pipermail/sakai-user/attachments/20120820/123d1707/attachment-0001.png
More information about the sakai-user
mailing list