[#SHALE-344] Remoting does not provide configurable limiting of exposed resources

Shale

Remoting does not provide configurable limiting of exposed resources

Created: 29/Nov/06 08:01 PM Updated: 23/Jan/07 04:40 PM

Component/s:

Remoting

Affects Version/s:

None

Fix Version/s:

1.0.4

Description

« Hide

Shale Remoting's current Processor implementations provide limited hard coded limitations on what resources may be accessed (cannot download classpath resources named "*.class", cannot download webapp resources named "/WEB-INF/*"), but they need to provide configurable settings for more fine grain control. In addition, reasonably secure defaults should be provided.

All

Comments

Change History

Subversion Commits

Sort Order:

[ Permlink | « Hide ]

Craig McClanahan added a comment - 30/Nov/06 10:59 PM

I've checked in code that makes it possible to filter what resource ids a particular processor will provide (excluded resources return a 404 to provide no information on whether a resource id is nonexistent, or whether it exists but access is being denied). The "out of the box" configuration for classpath resources and webapp resources now prevents access to things like "*.properties".

Still need to add documentation to the website for configuring these restrictions, and to decide what defaults should be defined for the "dynamic" processor that maps resource ids to a public method on a managed bean.

The new code will be available in the 20061201 nightly build, and in the 1.0.4 release when it occurs.

[ Permlink | « Hide ]

Craig McClanahan added a comment - 16/Dec/06 03:10 AM

Tightened up default rules for the "dynamic" (map to method binding) processor, and made any user specified "excludes" list *add to* rather than replace the default excludes. With this, I'm declaring this to be fixed for 1.0.4.