Issue Details (XML | Word | Printable)

Key: SHALE-344
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Craig McClanahan
Reporter: Craig McClanahan
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Shale

Remoting does not provide configurable limiting of exposed resources

Created: 29/Nov/06 08:01 PM   Updated: 23/Jan/07 04:40 PM
Return to search
Component/s: Remoting
Affects Version/s: None
Fix Version/s: 1.0.4


 Description  « Hide
Shale Remoting's current Processor implementations provide limited hard coded limitations on what resources may be accessed (cannot download classpath resources named "*.class", cannot download webapp resources named "/WEB-INF/*"), but they need to provide configurable settings for more fine grain control. In addition, reasonably secure defaults should be provided.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Repository Revision Date User Message
ASF #481099 Thu Nov 30 22:55:59 UTC 2006 craigmcc Add support for configuring (via pattern matching) the set of resource ids
that a particular processor will be allowed to provide, with disallowed ones
getting an HTTP 404 response back. For the classloader and webapp resources,
the default configuration has these patterns:

Excluded: *.class,*.jsp,*.properties

Included: *.css,*.gif,*.html,*.jpg,*.js,*.png,*.xml

(As before, the webapp resource processor disallows access inside WEB-INF,
no matter whether the file matches an included pattern or not).

Defaults for the dynamic processor (the ones that map a resource id to a
method on a managed bean) are still set to allow all patterns. This deserves
more thought; there does not appear to be a set of sensible defaults that
is likely to work for a majority of applications using this feature.

SHALE-344
Files Changed
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/AbstractResourceProcessor.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/MethodBindingProcessor.java
ADD /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/faces
ADD /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/FilteringProcessor.java
MODIFY /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/impl/MethodBindingProcessorTestCase.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/faces/MappingsHelper.java
MODIFY /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/impl/ClassResourceProcessorTestCase.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/faces/RemotingPhaseListener.java
ADD /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/faces/MappingsHelperTestCase.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/Constants.java

Craig McClanahan made changes - 30/Nov/06 10:56 PM
Field Original Value New Value
Assignee Craig McClanahan [ craigmcc ]
[ Permlink | « Hide ]
Craig McClanahan added a comment - 30/Nov/06 10:59 PM
I've checked in code that makes it possible to filter what resource ids a particular processor will provide (excluded resources return a 404 to provide no information on whether a resource id is nonexistent, or whether it exists but access is being denied). The "out of the box" configuration for classpath resources and webapp resources now prevents access to things like "*.properties".

Still need to add documentation to the website for configuring these restrictions, and to decide what defaults should be defined for the "dynamic" processor that maps resource ids to a public method on a managed bean.

The new code will be available in the 20061201 nightly build, and in the 1.0.4 release when it occurs.

Repository Revision Date User Message
ASF #481613 Sat Dec 02 19:49:06 UTC 2006 craigmcc Update the package summary javadocs to document configuring the new
"include" and "exclude" constraints on resource identifiers, including
the default values. Added pointers to this from the website page.

SHALE-344
Files Changed
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/package.html
MODIFY /shale/framework/trunk/shale-remoting/src/site/xdoc/index.xml

Craig McClanahan made changes - 14/Dec/06 12:45 AM
Fix Version/s TBD [ 21773 ]
[ Permlink | « Hide ]
Craig McClanahan added a comment - 16/Dec/06 03:10 AM
Tightened up default rules for the "dynamic" (map to method binding) processor, and made any user specified "excludes" list *add to* rather than replace the default excludes. With this, I'm declaring this to be fixed for 1.0.4.

Craig McClanahan made changes - 16/Dec/06 03:10 AM
Resolution Fixed [ 1 ]
Status Open [ 1 ] Resolved [ 5 ]
Fix Version/s 1.0.4-SNAPSHOT [ 21740 ]
Fix Version/s TBD [ 21773 ]
Rahul Akolkar made changes - 23/Jan/07 04:40 PM
Fix Version/s 1.0.4-SNAPSHOT [ 21740 ]
Fix Version/s 1.0.4 [ 21790 ]
Jeff Turner made changes - 09/Aug/07 07:15 AM
Workflow Struts [ 38979 ] Struts - editable closed status [ 41654 ]
Antonio Petrelli made changes - 08/Jan/09 08:56 AM
Workflow Struts - editable closed status [ 41654 ] Struts - editable closed status (temporary) [ 46004 ]
Antonio Petrelli made changes - 08/Jan/09 09:08 AM
Workflow Struts - editable closed status (temporary) [ 46004 ] Struts - editable closed status [ 53042 ]

Powered by a free Atlassian JIRA open source license for Apache Software Foundation - Struts. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators