Issue Details (XML | Word | Printable)

Key: SHALE-362
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Unassigned
Reporter: Craig McClanahan
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Shale

Improve default security of Shale Remoting

Created: 14/Dec/06 08:39 AM   Updated: 23/Jan/07 04:40 PM
Return to search
Component/s: Remoting
Affects Version/s: 1.0.4-SNAPSHOT
Fix Version/s: 1.0.4


 Description  « Hide
The current "out of the box" security of Shale Remoting is better (in 1.0.4-SNAPSHOT) than it was in 1.0.3, but still needs to be improved:

* "Dynamic" processor should exclude by default all managed bean
  names that are implicitly defined in the JSF spec, and have public
  zero-args methods that might mess things up. (Example: executing
  #{applicationScope.clear} would be bad.

* All processors should be enhanced to *always* obey their default
  exclude lists, even if the user specifies additional exclude patterns.

 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Repository Revision Date User Message
ASF #487133 Thu Dec 14 08:40:48 UTC 2006 craigmcc Improve out-of-the-box security of Shale Remoting:

* Dynamic processor (maps resource ids to public methods on a managed bean)
  now refuses to call methods on bean names defined implicitly by the JSF
  spec (such as applicationScope).

* All processors now enforce their default exclude lists even if the user
  specifies (additional) patterns to be excluded.

SHALE-362
Files Changed
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/AbstractResourceProcessor.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/MethodBindingProcessor.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/package.html
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/ClassResourceProcessor.java
ADD /shale/framework/trunk/shale-remoting/src/test/resources/org/apache/shale/remoting/impl/TestData.txt (from /shale/framework/trunk/shale-remoting/src/test/resources/org/apache/shale/remoting/impl/TestData.text)
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/FilteringProcessor.java
MODIFY /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/impl/MethodBindingProcessorTestCase.java
MODIFY /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/impl/ClassResourceProcessorTestCase.java
DEL /shale/framework/trunk/shale-remoting/src/test/resources/org/apache/shale/remoting/impl/TestData.text
MODIFY /shale/framework/trunk/shale-remoting/src/site/xdoc/index.xml
MODIFY /shale/framework/trunk/shale-remoting/src/test/java/org/apache/shale/remoting/faces/MappingsHelperTestCase.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/impl/WebResourceProcessor.java
MODIFY /shale/framework/trunk/shale-remoting/src/main/java/org/apache/shale/remoting/Constants.java

[ Permlink | « Hide ]
Craig McClanahan added a comment - 14/Dec/06 08:43 AM
Fixed in nightly build 20061213, although a remaining issue of no default "includes" list for the dynamic processor remains to be considered (see SHALE-344).

Craig McClanahan made changes - 14/Dec/06 08:43 AM
Field Original Value New Value
Resolution Fixed [ 1 ]
Status Open [ 1 ] Resolved [ 5 ]
Rahul Akolkar made changes - 23/Jan/07 04:40 PM
Fix Version/s 1.0.4-SNAPSHOT [ 21740 ]
Fix Version/s 1.0.4 [ 21790 ]
Jeff Turner made changes - 09/Aug/07 07:15 AM
Workflow Struts [ 39043 ] Struts - editable closed status [ 41682 ]
Antonio Petrelli made changes - 08/Jan/09 08:56 AM
Workflow Struts - editable closed status [ 41682 ] Struts - editable closed status (temporary) [ 45914 ]
Antonio Petrelli made changes - 08/Jan/09 09:08 AM
Workflow Struts - editable closed status (temporary) [ 45914 ] Struts - editable closed status [ 52585 ]

Powered by a free Atlassian JIRA open source license for Apache Software Foundation - Struts. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators