Is this a bug in vaadin?

Hi,

I just noticed that when I log in with a certain role and access a secured part of my app, that once I logout and directly login with a user that is not allowed to view this part, that it opens up the secured page of the authorized user. This is only happening when I logout and change credentials and directly login again. Is this happening for everyone so I should report a bug or am I just stoopid? -.-

kind regards chris

edit says: I just realized that once I login with the inferior credentials i can write the admin area in the browser directly and access it. this is btw just happening for users that can login anonymous user is blocked

Sounds like your application doesn’t have a suitable authority check when you’re navigating to a view? You could do this kind of check in a BeforeEnterObserver: https://vaadin.com/docs/v14/flow/routing/tutorial-routing-lifecycle.html#beforeenterevent

I do a security check. This is the method.

private void beforeEnter(BeforeEnterEvent event) {
		if (!LoginView.class.equals(event.getNavigationTarget()) && !SecurityUtils.isUserLoggedIn()) {
			event.rerouteTo(LoginView.class);
		} else if (!LoginView.class.equals(event.getNavigationTarget()) && SecurityUtils.isUserLoggedIn()
				&& !SecurityUtils.isUserNonDeactivated(CurrentUser.autheticatedUser)) {
			event.rerouteTo(ShowcaseConstants.ROUTERPATH_DEACTIVATEDUSER);
		}
	}

i think it is partially from a vaadin team app. Could this be because of caching? I just tested again and if I login as admin and as a regular user right after it redirects me not correctly. Well I am just wondering if this is happening just for me or because of caching or something but I actually logout with the admin so I do not see how this be caching related.

regads chris

edit says code formatting somewhat not working sorry about that and it is only if I am on the admin area part of the app and logout

I do a security check. This is the method.

private void beforeEnter(BeforeEnterEvent event) { if (!LoginView.class.equals(event.getNavigationTarget()) && !SecurityUtils.isUserLoggedIn()) { event.rerouteTo(LoginView.class); } else if (!LoginView.class.equals(event.getNavigationTarget()) && SecurityUtils.isUserLoggedIn() && !SecurityUtils.isUserNonDeactivated(CurrentUser.autheticatedUser)) { event.rerouteTo(ShowcaseConstants.ROUTERPATH_DEACTIVATEDUSER); } }

i think it is partially from a vaadin team app. Could this be because of caching? I just tested again and if I login as admin and as a regular user right after it redirects me not correctly. Well I am just wondering if this is happening just for me or because of caching or something but I actually logout with the admin so I do not see how this be caching related.

regads chris

edit says code formatting somewhat not working sorry about that and it is only if I am on the admin area part of the app and logout

edit says second time

I call this method in my loginview
@Override public void beforeEnter(BeforeEnterEvent event) { if (SecurityUtils.isUserLoggedIn()) { event.forwardTo(ShowcaseConstants.ROUTERPATH_FRONT); } }

and yet it redirects me to the admin area when I login as a regular user after I logout with an admin
sry if i am too stupid but I do not see any problem in my code.

Your beforeEnter checks two things:

  1. If the user is not logged in and not going to the LoginView, they’re rerouted to the LoginView
  2. If the user is not going to the LoginView AND they’re logged in AND they’re deactivated, they’re rerouted to the “deactivated user” route

So there’s no check for the scenario that a logged-in user tries to access a view they don’t have access to.

Olli Tietäväinen:
So there’s no check for the scenario that a logged-in user tries to access a view they don’t have access to.

see I was beeing a major stupid person thanks for the hint=) case closed

have a nice day, chris