I hope this is the right place to post my question.
I am working on a web application that uses Custom security that was written using JAAS by the some team internal to the origanization.
In web.xml I have configured Security roles using <security-role> and <security-constraint> tags.
After successful login, If I print user name and his roles, I am able to see the roles which I have configured for this user.
Let us take a scenario I have two users with usernames User1 and USer2. The role assigned to user1 is role1 The role assigned to user2 is role2.
I have opened teo browsers and logged into the system with these two users. After successful login, I am showing a welcome page where I would display User name and his roles.
For User1, after sucessfull login, I am able to see his name and role1=true. For User2, I am able to see his name and role2=true.
Now, problem comes here.. When I try to refresh User1 browser couple of times, I see his name with role "role2=true". Same with User2, I see his role as "role1=true"
I am checking if user has roles using request.isUserInRole(Constants.ROLE1) request.isUserInRole(Constants.ROLE2)
I am not sure why the request object is not being able to get the correct roles.
Is there any configuration thing I need to take care of. Early replys would be greatly appreciated
Joined: Apr 04, 2002
Are you opening 2 browser windows on the same pc? If so I think they might end up shareing the same session cookie. I've never been too sure on this - it might depend on the browser implementation.
I've also seen this session confusion happen from seperate pcs where the requests were routed through a proxy that did some caching. User 1 requested a personalized which displayed correctly, as did user 2, but then user 1 got user 2's page. Had to get them to set their IE browser so that it didn't use the proxy for requests to the application.
Joined: Jan 25, 2004
I agree with the last user about sharing the same session stuff, but how are you opening your browser? Are you clicking on the browser, then hitting control-N for another browser to open? If so, it will definetly share same session, but if you open two separate browser instances, there should be no conflicting data. If this doesn't help, could you post the code and we could try to replicate the problem? Thanks.
Joined: Nov 17, 2004
Hi, Thank you very much for your replys.
Yes, I am testing my application by opening two browsers from same machine. I am not using control-N or file<->New window options form the IE. I am opening two seperate new instances of IE.
I am using - oracle 10g AS (9.0.4). - JSP and Struts - Internal Security implemented as per JAAS.