[
https://issues.apache.org/jira/browse/FC-176?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15435531#comment-15435531
]
Shawn McKinney edited comment on FC-176 at 8/24/16 7:41 PM:
------------------------------------------------------------
The problem has been resolved in trunk but if you are running fortress web
1.0.1, you should modify the spring config intercept urls to match what’s now
in latest:
https://github.com/apache/directory-fortress-commander/blob/master/src/main/resources/applicationContext.xml
This problem is being referred to as ‘critical’ but it’s really not. Yes,
users can bypass the secured page links but once there aren’t allowed to do
anything because the secured buttons are still fully operational. There’s even
another layer beyond that where the fortress apis themselves also have security
checks built in using the ARBAC02 administrative permission controls.
Which is why many layers of security is good. When one layer fails, another
takes over.
This situation also underscores the need to verify all security functionality
with automated tests. Never assume the security checks built into your app
will work from one release to the next because we’re human and make mistakes.
We’ll get sloppy and forget to do that manual test and the problem will make it
out the door.
Finally we have transparency. That is once the defect has been fixed, we make
full disclosure of its cause, impact, and resolution.
You can see the changes that were made here including the new selenium test
case that was added to make sure this problem does not regress:
https://github.com/apache/directory-fortress-commander/commit/074c39aa09c58848e97293ab049e8ba9b265a58d
was (Author: smckinney):
Last night I found a security defect that made it into the fortress web’s 1.0.1
release. Here is JIRA issue:
https://issues.apache.org/jira/browse/FC-176
The problem has been resolved in trunk but if you are running fortress web
1.0.1, you should modify the spring config intercept urls to match what’s now
in latest:
https://github.com/apache/directory-fortress-commander/blob/master/src/main/resources/applicationContext.xml
This problem is being referred to as ‘critical’ but it’s really not. Yes,
users can bypass the secured page links but once there aren’t allowed to do
anything because the secured buttons are still fully operational. There’s even
another layer beyond that where the fortress apis themselves also have security
checks built in using the ARBAC02 administrative permission controls.
Which is why many layers of security is good. When one layer fails, another
takes over.
This situation also underscores the need to verify all security functionality
with automated tests. Never assume the security checks built into your app
will work from one release to the next because we’re human and make mistakes.
We’ll get sloppy and forget to do that manual test and the problem will make it
out the door.
Finally we have transparency. That is once the defect has been fixed, we make
full disclosure of its cause, impact, and resolution.
You can see the changes that were made here including the new selenium test
case that was added to make sure this problem does not regress:
https://github.com/apache/directory-fortress-commander/commit/074c39aa09c58848e97293ab049e8ba9b265a58d
> [ fortress-web ] spring security page security broken
> -----------------------------------------------------
>
> Key: FC-176
> URL: https://issues.apache.org/jira/browse/FC-176
> Project: FORTRESS
> Issue Type: Bug
> Affects Versions: 1.0.1
> Reporter: Shawn McKinney
> Assignee: Shawn McKinney
> Fix For: 1.0.2
>
>
> The spring page level security controls are not preventing unauthorized users
> from accessing pages. Fix and add test cases verifying to prevent problem
> from recurring.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
