Issue Details (XML | Word | Printable)

Key: SHALE-362
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Unassigned
Reporter: Craig McClanahan
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Shale

Improve default security of Shale Remoting

Created: 14/Dec/06 08:39 AM   Updated: 23/Jan/07 04:40 PM
Return to search
Component/s: Remoting
Affects Version/s: 1.0.4-SNAPSHOT
Fix Version/s: 1.0.4


 Description  « Hide
The current "out of the box" security of Shale Remoting is better (in 1.0.4-SNAPSHOT) than it was in 1.0.3, but still needs to be improved:

* "Dynamic" processor should exclude by default all managed bean
  names that are implicitly defined in the JSF spec, and have public
  zero-args methods that might mess things up. (Example: executing
  #{applicationScope.clear} would be bad.

* All processors should be enhanced to *always* obey their default
  exclude lists, even if the user specifies additional exclude patterns.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Repository Revision Date User Message
ASF #487133 Thu Dec 14 08:40:48 UTC 2006 craigmcc Improve out-of-the-box security of Shale Remoting:

* Dynamic processor (maps resource ids to public methods on a managed bean)
  now refuses to call methods on bean names defined implicitly by the JSF
  spec (such as applicationScope).

* All processors now enforce their default exclude lists even if the user
  specifies (additional) patterns to be excluded.

SHALE-362
Files Changed
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/AbstractResourceProcessor.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/MethodBindingProcessor.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/package.html
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/ClassResourceProcessor.java
ADD /shale/framework/trunk/shale-remoting/src/test/resources/org/apache/shale/remoting/impl/TestData.txt (from /shale/framework/trunk/shale-remoting/src/test/resources/org/apache/shale/remoting/impl/TestData.text)
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/FilteringProcessor.java
MODIFY /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/impl/MethodBindingProcessorTestCase.java
MODIFY /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/impl/ClassResourceProcessorTestCase.java
DEL /shale/framework/trunk/shale-remoting/src/test/resources/org/apache/shale/remoting/impl/TestData.text
MODIFY /shale/framework/trunk/shale-remoting/src/site/xdoc/index.xml
MODIFY /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/faces/MappingsHelperTestCase.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/WebResourceProcessor.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/Constants.java


Powered by a free Atlassian JIRA open source license for Apache Software Foundation - Struts. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators