[
https://issues.apache.org/jira/browse/FC-176?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15435491#comment-15435491
]
Shawn McKinney commented on FC-176:
-----------------------------------
Issue occurred between the 1.0.0 release (good) and 1.0.1 (bad).
The problem occurred due to the intercept url's page names not matching case of
the wicket pages. For example this:
<sec:intercept-url
pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.userpage"
access="ROLE_RBAC_ADMIN,ROLE_USERS"/>
should have been this:
<sec:intercept-url
pattern="/wicket/bookmarkable/org.apache.directory.fortress.web.UserPage"
access="ROLE_RBAC_ADMIN,ROLE_USERS"/>
> [ fortress-web ] spring security page security broken
> -----------------------------------------------------
>
> Key: FC-176
> URL: https://issues.apache.org/jira/browse/FC-176
> Project: FORTRESS
> Issue Type: Bug
> Affects Versions: 1.0.1
> Reporter: Shawn McKinney
> Assignee: Shawn McKinney
> Fix For: 1.0.2
>
>
> The spring page level security controls are not preventing unauthorized users
> from accessing pages. Fix and add test cases verifying to prevent problem
> from recurring.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
