[Using Sakai] [Building Sakai] user login reverts to admin user

Steve Swinsburg steve.swinsburg at gmail.com
Mon Aug 20 15:20:32 PDT 2012 

The recommended and safer way to do this is to keep a reference to the specific instance of the security advisor so that you are sure which one you are removing from the stack.
So the first method returns that, and the pop is actually securityService.popAdvisor(securityAdvisor);
I think the empty method is even deprecated.
See https://jira.sakaiproject.org/browse/KNL-542

Cheers,
Steve

Sent from my iPad

On 20/08/2012, at 23:52, David Horwitz <david.horwitz at uct.ac.za> wrote:

> FYI The security advisor:
> 
> https://source.sakaiproject.org/release/kernel/1.3.0-b01/apidocs/org/sakaiproject/authz/api/SecurityAdvisor.html
> 
> 
> To set the advisor:
> 
> 
> //we need a security advisor
>             SecurityAdvisor secAdvice = new SecurityAdvisor() {
>                 public SecurityAdvice isAllowed(String userId, String function, String reference) {
>                     log.debug("isAllowed( " + userId + ", " + function + ", " + reference);
>                     if (UserDirectoryService.SECURE_UPDATE_USER_ANY.equals(function)) {
>                         return SecurityAdvice.ALLOWED;
>                     } else if (AuthzGroupService.SECURE_UPDATE_AUTHZ_GROUP.equals(function)){
>                         return SecurityAdvice.ALLOWED;
>                     } else if (UserDirectoryService.SECURE_REMOVE_USER.equals(function)) {
>                         log.debug("advising user can delete users");
>                         return SecurityAdvice.ALLOWED;
>                     } else {
>                         return SecurityAdvice.NOT_ALLOWED;
>                     }
>                 }
>             };
>             securityService.pushAdvisor(secAdvice);
> 
> 
> and to clear it:
> 
> SecurityAdvisor sa = securityService.popAdvisor();
> 
> 
> 
> D
> 
> On 08/20/2012 03:40 PM, David Wafula wrote:
>> That should explain it...we did some session calls somewhere...in the code. Will correct it.
>> 
>> On Mon, Aug 20, 2012 at 3:38 PM, David Horwitz <david.horwitz at uct.ac.za> wrote:
>> This sounds like somewhere something is setting the current session user to admin. I would look at any code you run in the login for something like:
>> 
>>  Session sakaiSession = sessionManager.getCurrentSession();
>>  sakaiSession.setUserId("admin");
>>  sakaiSession.setUserEid("admin");
>> 
>> Code like this should not be called in any user thread, SecurityAdvisors are a better bet ....
>> 
>> D
>> 
>> 
>> 
>> On 08/20/2012 03:21 PM, Fatima Rahiman wrote:
>>> Hi All
>>> 
>>>  
>>> 
>>> We’ve been experiencing a no. of random though isolated incidences of users unsuccessfully logging into Sakai( with their correct details ) but with their browser window immediately  returning a screen which shows SAKAI  admin user rights i.e they somehow manage to log into SAKAI as an admin! Obviously this poses a huge security breach for  us. Has anyone else ever experienced this?
>>> 
>>>  
>>> 
>>> <mime-attachment.png>
>>> 
>>>  
>>> 
>>>  This communication is intended for the addressee only. It is confidential. If you have received this communication in error, please notify us immediately and destroy the original message. You may not copy or disseminate this communication without the permission of the University. Only authorized signatories are competent to enter into agreements on behalf of the University and recipients are thus advised that the content of this message may not be legally binding on the University and may contain the personal views and opinions of the author, which are not necessarily the views and opinions of The University of the Witwatersrand, Johannesburg. All agreements between the University and outsiders are subject to South African Law unless the University agrees in writing to the contrary.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> sakai-user mailing list
>>> sakai-user at collab.sakaiproject.org
>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>>> 
>>> TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>> 
>> 
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>> 
>> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>> 
>> 
>> 
>> -- 
>> David Wafula
> 
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> 
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-user/attachments/20120821/7e4c4992/attachment.html

More information about the sakai-user mailing list