Announcement Announcement Module
No announcement yet.
Previous user object in browser take over current user objec Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Previous user object in browser take over current user objec


    I’m new with Acegi and experimenting with it. Great product guys.

    One thing I’ve noticed is when for instance :
    I log in as user1(role = supervisor)
    User1 can access the url “…adminpage1.admin”

    Now I log off and use the same browser to logon as User2(role = user)
    User2 can’t access url “…adminpage1.admin”
    But if I enter the url “…adminpage1.admin” it goes to that page and the principal Im printing out at the top of my page jumps to the previose user (User1).

    This happens only if I use the same browser for both logins(User1 and User2).

    Im Using : Tomcat 5.0.28
    Looks to me this is only the case with IE. Mozilla seems to works fine when I do this.


  • #2
    Could you please post your application context.


    • #3
      Hi Ben

      Which one sould I post




      • #4
        It's a bit odd. Have you tried using F5/Refresh in Internet Explorer, to ensure you're not looking at the cached copy from the previous version? Would it be possible to look at DEBUG-level logging generated by Acegi Security, so you can see which user it thinks it's seeing. Did you use remember-me authentication on the original request? How are you actually going about logging off? Does the Contacts Sample Application shipped with Acegi Secuirty 0.8.0 show this same behaviour in your Tomcat 5.0.28 and IE6 browser?

        Sorry for all the questions, but they'll rule a lot of things in or out. You can find some info on setting up DEBUG-level logging (if required) at


        • #5

          This is what I've noticed while testing the Contacts Sample Application shipped with Acegi Secuirty 0.8.0 and this is the same kind of behaviour my application shows. Here is an example.

          With IE6 (Using the same browserwindow for both logins.):

          First, I login as marissa.
          Then click 'Admin Permission' for John Smith.
          Now just copy the URL in the addressbar to notepad or something for later use.
          Now click Manage and Logg-off for Marrisa.
          Using the same browser click manage again and login as Scott.
          Now copy the URL from before into the addressbar and then you see it does show you Administer Permissions for John Smith which it shouldn't.

          But now if you click 'Del' or 'Add permission' you'll get the error. Same behaviour as my application.

          This also happens when I use two IE browsers and first acces J.Smith through Marrisa's Login and in the other browers Login as Scott and copy the URL to the later browser.

          With Mozilla(Using 2 browserwindows)
          When I login in one browser and then open another browser it does not give me the option to login. It just uses the userobject of the other browser.

          I know in practise this situations wont actually happen. But if I demonstrate Acegi's capabilities on a single PC using 2 different users it doesnot look like its working.


          • #6
            There is a bug in 0.8.0 related to logout handling. This is fixed in 0.8.1. Could I suggest you try it with the new release?


            • #7
              Thanks Ben for the help.

              I tried it with 0.8.1 but still I have the same behaviour with the applications.

              If you have any more suggestions.



              • #8
                If we just focus on your IE6 example, I followed it through and could reproduce your issue. However, it is simply due to caching of the http://localhost:8080/ response when logging in as scott. If you hit F5/refresh, you'll get:

                HTTP Status 403 - Authentication: net.sf.acegisecurity.providers.UsernamePasswordAut [email protected]: Username: [email protected]: Username: scott; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: [email protected] f68272: RemoteIpAddress:; SessionId: E63388AE2C3A3F47FD2272138189899D; Granted Authorities: ROLE_USER has NO permissions at all to the domain object: [email protected]: Id: 1; Name: John Smith; Email: [email protected]
                Note the last part of the messagem, "has no permissions at all". Similarly, if you clicked "del" to try and remove marissa's permissions, you'll get the same error.

                If you watch the Tomcat console, you'll note I've added DEBUG-level logging to Contacts. This shows when the middle tier is being accessed. As such it's easier to see when things aren't being cached.


                • #9
                  I understand now why it does display the page but when you refresh it gives the error.
                  Also I now realized that my userobject only get mixed up between 2 IE browsers if I open the second browser by pressing ctrl+n(shortcut), which I asume makes a copy of the httpheader. So when I launch both IE seperately everything works fine.

                  Thanks a lot for your time Ben.