You are viewing a plain text version of this content. The canonical link for it is here.

Posted to muse-dev@ws.apache.org by "Vinh Nguyen (JIRA)" <ji...@apache.org> on 2007/08/04 02:39:52 UTC

[jira] Created: (MUSE-257) client should not get listing of existing EPRS when invalid EPR is specified

client should not get listing of existing EPRS when invalid EPR is specified
----------------------------------------------------------------------------

                 Key: MUSE-257
                 URL: https://issues.apache.org/jira/browse/MUSE-257
             Project: Muse
          Issue Type: Bug
         Environment: Muse 2.2.0
            Reporter: Vinh Nguyen
            Assignee: Dan Jemiolo


When a client specifies an invalid EPR, Muse throws a SoapFault and lists the current EPRs on the server.  This is a possible security issue.  Instead, Muse should just say "invalid EPR", and then just internally log the error with the list of existing EPRs to make it easier to debug on the server side.

The problem is in SimpleResourceRouter.getTargetResource().  This is where it throws the fault.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: muse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: muse-dev-help@ws.apache.org

[jira] Commented: (MUSE-257) client should not get listing of existing EPRS when invalid EPR is specified

Posted by "Dan Jemiolo (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/MUSE-257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12524115 ] 

Dan Jemiolo commented on MUSE-257:
----------------------------------

I don't think I agree that this is a security issue. The EPRs are the way that clients locate and communicate with a resource. If only certain clients are allowed to communicate with a resource, then authentication/authorization should be put in place using something like WS-Security, but your security shouldn't hinge on hiding the existence of a public endpoint. Otherwise, with one EPR I could discover others with brute force.

> client should not get listing of existing EPRS when invalid EPR is specified
> ----------------------------------------------------------------------------
>
>                 Key: MUSE-257
>                 URL: https://issues.apache.org/jira/browse/MUSE-257
>             Project: Muse
>          Issue Type: Bug
>         Environment: Muse 2.2.0
>            Reporter: Vinh Nguyen
>            Assignee: Dan Jemiolo
>
> When a client specifies an invalid EPR, Muse throws a SoapFault and lists the current EPRs on the server.  This is a possible security issue.  Instead, Muse should just say "invalid EPR", and then just internally log the error with the list of existing EPRs to make it easier to debug on the server side.
> The problem is in SimpleResourceRouter.getTargetResource().  This is where it throws the fault.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: muse-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: muse-dev-help@ws.apache.org