Issue Details (XML | Word | Printable)

Key: SHALE-344
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Craig McClanahan
Reporter: Craig McClanahan
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Shale

Remoting does not provide configurable limiting of exposed resources

Created: 29/Nov/06 08:01 PM   Updated: 23/Jan/07 04:40 PM
Component/s: Remoting
Affects Version/s: None
Fix Version/s: 1.0.4


 Description  « Hide
Shale Remoting's current Processor implementations provide limited hard coded limitations on what resources may be accessed (cannot download classpath resources named "*.class", cannot download webapp resources named "/WEB-INF/*"), but they need to provide configurable settings for more fine grain control. In addition, reasonably secure defaults should be provided.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Repository Revision Date User Message
ASF #481099 Thu Nov 30 22:55:59 UTC 2006 craigmcc Add support for configuring (via pattern matching) the set of resource ids
that a particular processor will be allowed to provide, with disallowed ones
getting an HTTP 404 response back. For the classloader and webapp resources,
the default configuration has these patterns:

Excluded: *.class,*.jsp,*.properties

Included: *.css,*.gif,*.html,*.jpg,*.js,*.png,*.xml

(As before, the webapp resource processor disallows access inside WEB-INF,
no matter whether the file matches an included pattern or not).

Defaults for the dynamic processor (the ones that map a resource id to a
method on a managed bean) are still set to allow all patterns. This deserves
more thought; there does not appear to be a set of sensible defaults that
is likely to work for a majority of applications using this feature.

SHALE-344
Files Changed
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/AbstractResourceProcessor.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/MethodBindingProcessor.java
ADD /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/faces
ADD /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/FilteringProcessor.java
MODIFY /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/impl/MethodBindingProcessorTestCase.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/faces/MappingsHelper.java
MODIFY /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/impl/ClassResourceProcessorTestCase.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/faces/RemotingPhaseListener.java
ADD /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/faces/MappingsHelperTestCase.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/Constants.java

Repository Revision Date User Message
ASF #481613 Sat Dec 02 19:49:06 UTC 2006 craigmcc Update the package summary javadocs to document configuring the new
"include" and "exclude" constraints on resource identifiers, including
the default values. Added pointers to this from the website page.

SHALE-344
Files Changed
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/package.html
MODIFY /shale/framework/trunk/shale-remoting/src/site/xdoc/index.xml


Powered by a free Atlassian JIRA open source license for Apache Software Foundation - Struts. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators