directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn McKinney (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FC-176) [ fortress-web ] spring security page security broken
Date Wed, 24 Aug 2016 19:40:20 GMT

    [ https://issues.apache.org/jira/browse/FC-176?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15435531#comment-15435531
] 

Shawn McKinney commented on FC-176:
-----------------------------------

Last night I found a security defect that made it into the fortress web’s 1.0.1 release.
 Here is JIRA issue:
https://issues.apache.org/jira/browse/FC-176

The problem has been resolved in trunk but if you are running fortress web 1.0.1, you should
modify the spring config intercept urls to match what’s now in latest:
https://github.com/apache/directory-fortress-commander/blob/master/src/main/resources/applicationContext.xml

This problem is being referred to as ‘critical’ but it’s really not.  Yes, users can
bypass the secured page links but once there aren’t allowed to do anything because the secured
buttons are still fully operational.  There’s even another layer beyond that where the fortress
apis themselves also have security checks built in using the ARBAC02 administrative permission
controls.  

Which is why many layers of security is good.  When one layer fails, another takes over.

This situation also underscores the need to verify all security functionality with automated
tests.  Never assume the security checks built into your app will work from one release to
the next because we’re human and make mistakes.  We’ll get sloppy and forget to do that
manual test and the problem will make it out the door.  

Finally we have transparency.  That is once the defect has been fixed, we make full disclosure
of its cause, impact, and resolution.
You can see the changes that were made here including the new selenium test case that was
added to make sure this problem does not regress:
https://github.com/apache/directory-fortress-commander/commit/074c39aa09c58848e97293ab049e8ba9b265a58d

> [ fortress-web ] spring security page security broken
> -----------------------------------------------------
>
>                 Key: FC-176
>                 URL: https://issues.apache.org/jira/browse/FC-176
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.1
>            Reporter: Shawn McKinney
>            Assignee: Shawn McKinney
>             Fix For: 1.0.2
>
>
> The spring page level security controls are not preventing unauthorized users from accessing
pages.  Fix and add test cases verifying to prevent problem from recurring.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message