[appfuse-issues] [JIRA] Updated: (APF-253) Users without admin privilege can access protected pages

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[appfuse-issues] [JIRA] Updated: (APF-253) Users without admin privilege can access protected pages

AppFuse - Issues mailing list
     [ http://issues.appfuse.org/browse/APF-253?page=all ]

Matt Raible updated APF-253:
----------------------------

    Fix Version: 1.9.3

> Users without admin privilege can access protected pages
> --------------------------------------------------------
>
>          Key: APF-253
>          URL: http://issues.appfuse.org/browse/APF-253
>      Project: AppFuse
>         Type: Bug

>   Components: Security
>     Versions: 1.9, 1.8.2
>  Environment: Win XP Pro, Tomcat 5.0.28, Appfuse 1.8.2
>     Reporter: Mike Melson
>     Assignee: Matt Raible
>      Fix For: 1.9.3

>
> To recreate:
> 1. Goto http://demo.appfuse.org/appfuse-jsf
> 2. Login as tomcat/tomcat
> 3. Enter the following URL: http://demo.appfuse.org/appfuse-jsf/users.html
> You will see the user's page even though no admin priv's. Same is true for: reload.html & flushCache.html
>  As a fix, I added these pages to ApplicationContext-Security.xml (filterInvocationInterceptor). The first time I try to access the page, it's protected & I get "access denied: page.  If I go to another page& then hit "back" on the browser, the previously protected page appears.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.appfuse.org/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]