You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by kazukin6 <co...@mail.ru> on 2008/09/14 04:58:24 UTC
RE: Question is answered. See Bill Barker-2 answer (update)
And yes, for us it' not possible to give users to change only parts of jsp's
and deny execution of these parts based on some credential assessments
executed during some <if checkAccess> tags
kazukin6 wrote:
>
> Martin, thanks for a guide! I took a look at the Jetspeed (and portlet
> specifications too) and it seems pretty intresting. I'll definetely study
> it. The only thing that scares me that spec-s
> (http://www.jcp.org/aboutJava/communityprocess/review/jsr168/) wasnt
> updated since 2003
>
> And yes, you really got it. Our system indeed is a portal and CMS and
> something else too. And it somehow resembles the functions the Portal API
> has. At this moment we're developing CRM part based on it. We already have
> a whole bunch of portal functionality (it doesnt have any XML config cause
> it's highly dynamic and config is stored in DB) and very specific security
> system, tuned to our specific features, and at this point I'm not sure
> we'll be able to seamlessly integrate any second-party solution into this
> architecture.
>
>
>
> mgainty wrote:
>>
>>
>> that was a 30 second solution amongst 100 different solutions<BR>
>>
>> so maybe you want to categorise the jsps and then enable / disable
>> view/update/delete of the resources<BR> in those categories depending on
>> the authenticated credentials of the user<BR>
>> for this scenario you might want to look at portals and or
>> content-management system<s><BR>
>>
>> i would start here<BR>
>> http://portals.apache.org/jetspeed-1/fusion.html<BR>
>>
>> Martin<BR>
>> ______________________________________________ <BR>
>> Disclaimer and confidentiality note
>> Everything in this e-mail and any attachments relates to the official
>> business of Sender. This transmission is of a confidential nature and
>> Sender does not endorse distribution to any party other than intended
>> recipient. Sender does not necessarily endorse content contained within
>> this transmission.
>>
>>
>>> Date: Sat, 13 Sep 2008 17:32:29 -0700
>>> From: coolwhiff@mail.ru
>>> To: users@tomcat.apache.org
>>> Subject: Question is answered. See Bill Barker-2 answer
>>>
>>>
>>> Hi, Martin
>>> Thanks for the answer
>>> I see, what you mean, but the problem is slightly different
>>>
>>> The matter is that our users can change jsp files whatever they like via
>>> administrative interface, so we want to restrict the use of scriplets in
>>> these jsp's because of possible abuses
>>>
>>> Bill Barker-2 provided the comprehensive answer to this problem
>>>
>>>
>>> mgainty wrote:
>>> >
>>> >
>>> > use ths struts if tag to conditionally disable the code
>>> > <%@ taglib prefix="s" uri="/struts-tags"%>
>>> >
>>> > <s:if test="%{false}">
>>> > <div>Will Not Be Executed</div>
>>> > </s:if>
>>> >
>>> > http://struts.apache.org/2.0.11.2/docs/if.html
>>> > datorită struts
>>> > Martin
>>> > ______________________________________________
>>> > Disclaimer and confidentiality note
>>> > Everything in this e-mail and any attachments relates to the official
>>> > business of Sender. This transmission is of a confidential nature and
>>> > Sender does not endorse distribution to any party other than intended
>>> > recipient. Sender does not necessarily endorse content contained
>>> within
>>> > this transmission.
>>> >
>>> >
>>> >> Date: Sat, 13 Sep 2008 08:58:59 -0700
>>> >> From: coolwhiff@mail.ru
>>> >> To: users@tomcat.apache.org
>>> >> Subject: Re: Disable java code execution <%blabla%> in jsp, but
>>> permits
>>> >> tags
>>> >>
>>> >>
>>> >> We want them to be able to customize information they get from our
>>> system
>>> >> by
>>> >> using custom tags
>>> >>
>>> >>
>>> >> H. Hall wrote:
>>> >> >
>>> >> > kazukin6 wrote:
>>> >> >> Plz Help !!
>>> >> >> Is it possible to disable all java code execution within jsp page
>>> (by
>>> >> >> security manager or something)
>>> >> >> but allow custom tags to be executed?
>>> >> >>
>>> >> >> The problem is that the users can change jsp files, and due to
>>> >> security
>>> >> >> reasons we can allow them to use only tags
>>> >> >>
>>> >> > Why are users allowed to change jsp files?
>>> >> >
>>> >> > HH
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > H. Hall
>>> >> > ReedyRiver Group LLC
>>> >> > http://www.reedyriver.com
>>> >> >
>>> >> >
>>> >> >
>>> ---------------------------------------------------------------------
>>> >> > To start a new topic, e-mail: users@tomcat.apache.org
>>> >> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> >> > For additional commands, e-mail: users-help@tomcat.apache.org
>>> >> >
>>> >> >
>>> >> >
>>> >>
>>> >> --
>>> >> View this message in context:
>>> >>
>>> http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19471795.html
>>> >> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>> >>
>>> >>
>>> >> ---------------------------------------------------------------------
>>> >> To start a new topic, e-mail: users@tomcat.apache.org
>>> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> >> For additional commands, e-mail: users-help@tomcat.apache.org
>>> >>
>>> >
>>> > _________________________________________________________________
>>> > Get more out of the Web. Learn 10 hidden secrets of Windows Live.
>>> >
>>> http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
>>> >
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19476209.html
>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> _________________________________________________________________
>> See how Windows connects the people, information, and fun that are part
>> of your life.
>> http://clk.atdmt.com/MRT/go/msnnkwxp1020093175mrt/direct/01/
>>
>
>
--
View this message in context: http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19476899.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question is answered. See Bill Barker-2 answer (update)
Posted by kazukin6 <co...@mail.ru>.
Hi Chris!
They can upload them using javascript file manager
Totally rejecting scripting seems to be more robust solution
Christopher Schultz-2 wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kazukin,
>
> kazukin6 wrote:
>> And yes, for us it' not possible to give users to change only parts of
>> jsp's
>> and deny execution of these parts based on some credential assessments
>> executed during some <if checkAccess> tags
>
> How do your users submit updated JSP files? Do you have the opportunity
> to scan them before installation? If so, why not simply reject anything
> containing "<%[^@]"?
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkjQJV4ACgkQ9CaO5/Lv0PCNOACgu+CaPCGqYX+0t1jhPJhDRZ/K
> b88An1s5lPVnO1xiU2WiBljlYbTC+tZd
> =AN9/
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19527565.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question is answered. See Bill Barker-2 answer (update)
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kazukin,
kazukin6 wrote:
> And yes, for us it' not possible to give users to change only parts of jsp's
> and deny execution of these parts based on some credential assessments
> executed during some <if checkAccess> tags
How do your users submit updated JSP files? Do you have the opportunity
to scan them before installation? If so, why not simply reject anything
containing "<%[^@]"?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjQJV4ACgkQ9CaO5/Lv0PCNOACgu+CaPCGqYX+0t1jhPJhDRZ/K
b88An1s5lPVnO1xiU2WiBljlYbTC+tZd
=AN9/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org