> On Jul 28, 2016, at 9:40 AM, Damianos Metallidis <[email protected]> > wrote: > > Thanks a lot for your detailed answer. > > I am in the process of monitoring apache-fortress and currently about the > access part. Based on the architecture of my monitoring system i should > detect and report in-appropriate accesses. For example in an RBAC situation a > role has access only on two certain links and not three. > > I think the first tutorial is sufficient in order to do such checks.
You’re welcome Damian. Please bear in mind that the first tutorial isn’t as much of a security how-to as it is an integration how-to. For example it doesn’t apply page level controls. For the first tutorial I wanted most of all to show how to embed an access control system like Fortress in with a simple Web app. The second one, apache fortress end-to-end security tutorial, has the complete security coverage but it comes with added complexity of setting up the test environment, with certs, database, etc. But there’s a third tutorial: https://github.com/shawnmckinney/role-engineering-sample Which provides a more plausible set of use cases along with a more complete security strategy, that uses spring (in conjunction with fortress), to ensure the user can’t bypass a secured link by manually entering the url in browser. It has a selenium test class that demonstrates the positive and negative security use cases: https://github.com/shawnmckinney/role-engineering-sample/blob/master/src/test/java/org/rolesample/RoleSampleSeleniumITCase.java Shawn
