AnsweredAssumed Answered

[Solved] Security problem : sending an alfresco link

Question asked by zomurn on Feb 2, 2009
Latest reply on Feb 4, 2009 by zomurn
Hi everyone,

I deployed an alfresco application and a server host it. The application is accessible by all employees through intranet via URL http://xx.xx.xxx.xx/alfresco.
I have a security problem with the application (It an Alfresco 2.2.0 enterprise installed). Scenario :

1) A user access the application through intranet via URL http://xx.xx.xxx.xx/alfresco/extension/login.jsp
He comes on a custom login.jsp page which show the logo of the society.

2) The user logs in and navigate on the application.

3) The user stops navigate and copy this URL : http://xx.xx.xxx.xx/alfresco/extension/browse.jsp
(a custom browse.jsp page having some stuff different from original browse.jsp)

4) The user paste this URL in its outlook messaging  client and send the email to its collaborator (another employee).

5) The collaborator click on this link and SUDDENTLY has access to http://xx.xx.xxx.xx/alfresco/extension/browse.jsp and see this view directly WITHOUT going through login screen (http://xx.xx.xxx.xx/alfresco/extension/login.jsp). Moreover, the login of the user connected (upper right link, the logout one) is the same that the user who sent the email.

6) But when the collaborator attempt to click on a link, inside the view sent by email http://xx.xx.xxx.xx/alfresco/extension/browse.jsp, he is in all cases automatically redirected to login screen (http://xx.xx.xxx.xx/alfresco/extension/login.jsp).

My question are :

1) How do the login name is thransmitted through outlook mail ?
2) Why browse.jsp URL doesn't redirect a user to login screen if not connected ?

Thank you very much for your advice !

Regards.

Outcomes