directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn McKinney (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FC-176) [ fortress-web ] spring security page security broken
Date Wed, 24 Aug 2016 19:15:20 GMT

    [ https://issues.apache.org/jira/browse/FC-176?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15435491#comment-15435491
] 

Shawn McKinney commented on FC-176:
-----------------------------------

Issue occurred between the 1.0.0 release (good) and 1.0.1 (bad).  

The problem occurred due to the intercept url's page names not matching case of the wicket
pages.  For example this:
                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.userpage"
                                   access="ROLE_RBAC_ADMIN,ROLE_USERS"/>
should have been this:
                <sec:intercept-url pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.UserPage"
                                   access="ROLE_RBAC_ADMIN,ROLE_USERS"/>

> [ fortress-web ] spring security page security broken
> -----------------------------------------------------
>
>                 Key: FC-176
>                 URL: https://issues.apache.org/jira/browse/FC-176
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.1
>            Reporter: Shawn McKinney
>            Assignee: Shawn McKinney
>             Fix For: 1.0.2
>
>
> The spring page level security controls are not preventing unauthorized users from accessing
pages.  Fix and add test cases verifying to prevent problem from recurring.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message