Hello, Last night I found a security defect that made it into the fortress web’s 1.0.1 release. Here is JIRA issue: https://issues.apache.org/jira/browse/FC-176
The problem has been resolved in trunk but if you are running fortress web 1.0.1, you should modify the spring config intercept urls to match what’s now in latest: https://github.com/apache/directory-fortress-commander/blob/master/src/main/resources/applicationContext.xml This problem is being referred to as ‘critical’ but it’s really not. Yes, users can bypass the secured page links but once there aren’t allowed to do anything because the secured buttons are still fully operational. There’s even another layer beyond that where the fortress apis themselves also have security checks built in using the ARBAC02 administrative permission controls. Which is why many layers of security is good. When one layer fails, another takes over. This situation also underscores the need to verify all security functionality with automated tests. Never assume the security checks built into your app will work from one release to the next because we’re human and make mistakes. We’ll get sloppy and forget to do that manual test and the problem will make it out the door. Finally we have transparency. That is once the defect has been fixed, we make full disclosure of its cause, impact, and resolution. You can see the changes that were made here including the new selenium test case that was added to make sure this problem does not regress: https://github.com/apache/directory-fortress-commander/commit/074c39aa09c58848e97293ab049e8ba9b265a58d Let me know if you have any questions about any of this. Thanks, Shawn
