[appfuse-issues] [JIRA] Resolved: (APF-291) users page unsecured in the tapestry package

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[appfuse-issues] [JIRA] Resolved: (APF-291) users page unsecured in the tapestry package

AppFuse - Issues mailing list
     [ http://issues.appfuse.org/browse/APF-291?page=all ]
     
Matt Raible resolved APF-291:
-----------------------------

     Resolution: Fixed
    Fix Version: 1.9.2

Fixed in 1.9.2.  Try logging into http://demo.appfuse.org/appfuse-tapestry/users.html with tomcat/tomcat.  You'll get the nice-n-ugly Tapestry error page.  To get a prettier one, uncomment the following in web/WEB-INF/hivemodule.xml:

    <!-- Uncomment before going to production as it displays nicer error messages to users -->
    <!--<contribution configuration-id="tapestry.InfrastructureOverrides">
        <property name="exceptionPageName" value="error"/>
    </contribution>-->

> users page unsecured in the tapestry package
> --------------------------------------------
>
>          Key: APF-291
>          URL: http://issues.appfuse.org/browse/APF-291
>      Project: AppFuse
>         Type: Bug

>   Components: Security
>     Versions: 1.9
>  Environment: Tomcat 5.5
>     Reporter: Jasper Ar
>     Assignee: Matt Raible
>      Fix For: 1.9.2

>
> I think the users page is not secured in the tapestry-appfuse package. If I am login as the "tomcat" user and change the url to users.html, I still get the list of all users!  If I try the same in the struts-appfuse package, I get the "Access Denied" page like it should be! I could not find a difference in the ApplicationContext-security.xml. As per this configuration the getUsers method should be only accessible for a "admin" user but surprisingly it also accessible for the user tomcat who is not a admin!

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.appfuse.org/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]