Jetspeed 2
  1. Jetspeed 2
  2. JS2-900

SiteView should throw SecurityException when a Node is not accessible instead of NodeNotFoundException

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.1.3
    • Fix Version/s: 2.2.0
    • Labels:
      None

      Description

      SiteView.getNodeProxy uses currentFolder.getAll() to lookup a target path (element).
      FolderImpl.getAll() (both PSML and DB versions) will filter out any Node for which the current user doesn't have access.

      But this means there is no distinction possible between a not-existing page access and not-allowed page access (e.g. 404 or 403).
      The ProfilerValveImpl (invoking these) already can handle a thrown SecurityException and send a SC_FORBIDDEN error (if configured to do so).
      So, the intended behavior already is to support this.

      We just need to fix SiteView.getNodeProxy a little like calling currentFolder.getAllNodes() and perform a security check itself if the path was resolved.

        Activity

        Hide
        Randy Watler added a comment -

        Resolved with the following commits: 772016, 772017.

        Also requires configuration of profiler valve in pipelines.xml to enable 403/404 returns and disable default page folder fallback:

        <bean id="profilerValve" class="org.apache.jetspeed.profiler.impl.ProfilerValveImpl" init-method="initialize">
        ...
        <!--
        request fallback to root folder/page enabled by default;
        if set to false, requests generate HTTP 403/404 errors
        for access errors or missing pages
        -->
        <constructor-arg index="2">
        <value>false</value>
        </constructor-arg>
        ...
        </bean>

        Show
        Randy Watler added a comment - Resolved with the following commits: 772016, 772017. Also requires configuration of profiler valve in pipelines.xml to enable 403/404 returns and disable default page folder fallback: <bean id="profilerValve" class="org.apache.jetspeed.profiler.impl.ProfilerValveImpl" init-method="initialize"> ... <!-- request fallback to root folder/page enabled by default; if set to false, requests generate HTTP 403/404 errors for access errors or missing pages --> <constructor-arg index="2"> <value>false</value> </constructor-arg> ... </bean>
        Hide
        Vivek Kumar added a comment -

        I have reverted back my code.
        Still working on this.

        Show
        Vivek Kumar added a comment - I have reverted back my code. Still working on this.
        Hide
        Vivek Kumar added a comment -

        Fixed by adding an new method in Folder API

        Show
        Vivek Kumar added a comment - Fixed by adding an new method in Folder API

          People

          • Assignee:
            Randy Watler
            Reporter:
            Ate Douma
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 4h
              4h
              Remaining:
              Remaining Estimate - 4h
              4h
              Logged:
              Time Spent - Not Specified
              Not Specified

                Development