Uploaded image for project: 'Hippo CMS'
  1. Hippo CMS
  2. CMS-7126

CMS user in SSO handshake between HST and CMS is not always reset after logging in into cms with different user

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Top
    • Resolution: Fixed
    • None
    • 2.26.00-alpha-1, 2.26.00
    • None

    Description

      The HstCmsSecurityValve contains:

      String cmsUser = servletRequest.getHeader("CMS-User");
      if (cmsUser != null) {
      String currentCmsUser = (String) session.getAttribute(CMS_USER_ID_ATTR);
      if (currentCmsUser != null && !currentCmsUser.equals(cmsUser))

      { session.removeAttribute(CMS_USER_ID_ATTR); session.removeAttribute(ContainerConstants.CMS_SSO_REPO_CREDS_ATTR_NAME); session.removeAttribute(ContainerConstants.CMS_SSO_AUTHENTICATED); }

      }

      The problem is that if you login into the cms as 'editor' and then do something in targeting, you get a handshake with the HST that stores the 'editor' credentials encrypted.

      Now, after you logout in the cms, the HST http session is not invalidated.

      After logging in into the CMS as admin, and you go to the RTVa, and modify some stuff, the HST will still have the 'editor' use in its session. Most likely, it gets fixed after you visit the channel manager some channel, as this sends a 'CMS-User' header, which triggers the above code to clear some attributes.

      Since the targeting perspective in general does not send this CMS-User header, it now can become very confusing

      CMS most likely needs one central plugin that arranges the handshake with the HST

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. CMS-9273 Site and CMS in clustered setup behind a loadbalancer can result in skewed cluster node affinity causing channel mngr to not load

          • Normal - Normal priority, tasks to be done before next intermediate release
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. CMS-7127 Backport (7.8) CMS user in SSO handshake between HST and CMS is not always reset after logging in into cms with different user

          • Top - Should be worked on at this time and be top on the list, required for next intermediate release
          • Closed

          Activity

            People

              jsheriff Junaidh Kadhar Sheriff
              aschrijvers Ard Schrijvers
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: