directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <>
Subject [ fortress-web ] spring security page security broken
Date Wed, 24 Aug 2016 19:33:57 GMT

Last night I found a security defect that made it into the fortress web’s 1.0.1 release.
 Here is JIRA issue:

The problem has been resolved in trunk but if you are running fortress web 1.0.1, you should
modify the spring config intercept urls to match what’s now in latest:

This problem is being referred to as ‘critical’ but it’s really not.  Yes, users can
bypass the secured page links but once there aren’t allowed to do anything because the secured
buttons are still fully operational.  There’s even another layer beyond that where the fortress
apis themselves also have security checks built in using the ARBAC02 administrative permission

Which is why many layers of security is good.  When one layer fails, another takes over.

This situation also underscores the need to verify all security functionality with automated
tests.  Never assume the security checks built into your app will work from one release to
the next because we’re human and make mistakes.  We’ll get sloppy and forget to do that
manual test and the problem will make it out the door.  

Finally we have transparency.  That is once the defect has been fixed, we make full disclosure
of its cause, impact, and resolution.
You can see the changes that were made here including the new selenium test case that was
added to make sure this problem does not regress:

Let me know if you have any questions about any of this.



View raw message