You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wink.apache.org by "Bryant Luk (JIRA)" <ji...@apache.org> on 2009/07/12 15:27:14 UTC
[jira] Created: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
X-Method-Override and X-Http-Method-Override behavior
-----------------------------------------------------
Key: WINK-76
URL: https://issues.apache.org/jira/browse/WINK-76
Project: Wink
Issue Type: Bug
Components: Server
Affects Versions: 0.1
Reporter: Bryant Luk
Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Michael Elman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12733523#action_12733523 ]
Michael Elman edited comment on WINK-76 at 7/21/09 12:52 AM:
-------------------------------------------------------------
Should be fixed after [796171|http://svn.apache.org/viewvc?view=rev&revision=796171]
was (Author: elman):
Should be fixed after #796171.
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
> Assignee: Michael Elman
> Fix For: 0.1
>
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Bryant Luk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12730834#action_12730834 ]
Bryant Luk commented on WINK-76:
--------------------------------
Dims,
Sure. I'll re-add the original comment.
Original comment:
Can we make the X-Method-Override and X-HTTP-Method-Override behavior configurable?
I believe that the current behavior in ServerMessageContext allows a request to come in as a GET through the container and we honor the headers (as expected). I haven't dealt that much with security, but I think if a developer set security constraints via the container's security config (web.xml or whatever) for POST requests, you could bypass this security constraint and any associated container rules for it.
Greg and Nick were discussing if adding support for the headers by default was a good idea weeks ago so having a similar discussion out here would be good too.
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Bryant Luk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12731472#action_12731472 ]
Bryant Luk commented on WINK-76:
--------------------------------
One of the patterns that I've seen is for the security config to restrict access to POST, PUT, and DELETE to some privileged user role. However, the application code itself does not do a further check in the POST resource method nor does the application actually use the username or any other security related information. If there's no proxy or anything in front that changes the HTTP method, the container would receive the GET but then Wink changes it to a POST. Unless the developer read the documentation and knew that Wink honors the override headers, the developer may assume this is "good enough".
Let me know if I'm totally off base, but I would like to see this behavior default to off with it being optionally turned on via a configuration. This is to protect against bad code since the security intent is clear even if the application code is not doing everything it can and should.
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Michael Elman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Elman reassigned WINK-76:
---------------------------------
Assignee: Michael Elman
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
> Assignee: Michael Elman
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Nick Gallardo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12731496#action_12731496 ]
Nick Gallardo commented on WINK-76:
-----------------------------------
> Let me know if I'm totally off base
I don't think you're off base. If it's the type of thing that can cause a security exposure, then users should have to enable it knowing the ramifications.
The other reason X-HTTP-Method-Override is useful is for firewalls that don't allow PUT or DELETE requests to come through. In most cases, the people running the data centers will have complete control over that and application developers will need a way to accommodate.
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Davanum Srinivas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12730816#action_12730816 ]
Davanum Srinivas commented on WINK-76:
--------------------------------------
Just to be clear, this is not a security vulnerability in a shipping release. This is a security design discussion which needs to happen in public.
thanks,
dims
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Michael Elman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12730797#action_12730797 ]
Michael Elman commented on WINK-76:
-----------------------------------
Btw, using wink-developers doesn't send mail to the wink-wev mailing list.
So in general people are unaware of the discussion that is going here.
I think for private discussions it's better to use the wink-private mailing list.
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Michael Elman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12730838#action_12730838 ]
Michael Elman commented on WINK-76:
-----------------------------------
My original comment was:
{quote}I think that the idea of using X-HTTP-Method-Override is to bypass the security constraints.
Of cause we may make it configurable. {quote}
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Michael Elman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Elman resolved WINK-76.
-------------------------------
Resolution: Fixed
Fix Version/s: 0.1
Should be fixed after #796171.
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
> Assignee: Michael Elman
> Fix For: 0.1
>
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Bryant Luk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryant Luk closed WINK-76.
--------------------------
Thanks Michael.
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
> Assignee: Michael Elman
> Fix For: 0.1
>
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Davanum Srinivas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12730804#action_12730804 ]
Davanum Srinivas commented on WINK-76:
--------------------------------------
Bryant,
Sorry any design/development discussions have to happen in public. Please don't use *any* non public mechanism.
Michael,
No, Please don't use wink-private for any development related discussions. Use private sparingly, usually only when discussing people (say new committers) or security related issues. Anything else should be in public.
thanks,
dims
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Michael Elman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12731508#action_12731508 ]
Michael Elman commented on WINK-76:
-----------------------------------
The use case is exactly as Nick described: since many firewalls don't allow PUT or DELETE or custom HTTP methods, X-HTTP-Method-Override is used to override the real method.
However, the client should send POST with X-HTTP-Method-Override and not GET. I don't think we validate that it's really POST though, so technically it could be GET.
Thinking about it, it will be a bad practice to set authorization on REST web services using a container regardless if we decide to turn it on or off by default:
* turning it on may cause a security exposure
* turning it off may block certain functionality (PUT, DELETE and custom)
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WINK-76) X-Method-Override and
X-Http-Method-Override behavior
Posted by "Michael Elman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WINK-76?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12733514#action_12733514 ]
Michael Elman commented on WINK-76:
-----------------------------------
Proposed solution:
* Add a property {{wink.httpMethodOverrideHeaders}}
* By default this property will be empty
* It may contain comma separated list of the headers that will be used for override
* When not empty, the runtime will search for headers from the specified list and if a header found, it will be used as HTTP method.
> X-Method-Override and X-Http-Method-Override behavior
> -----------------------------------------------------
>
> Key: WINK-76
> URL: https://issues.apache.org/jira/browse/WINK-76
> Project: Wink
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.1
> Reporter: Bryant Luk
> Assignee: Michael Elman
>
> Need to discuss X-Method-Override and X-Http-Method-Override behavior.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.