You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@shale.apache.org by "Craig McClanahan (JIRA)" <ji...@apache.org> on 2006/11/30 23:59:57 UTC
[jira] Commented: (SHALE-344) Remoting does not provide
configurable limiting of exposed resources
[ http://issues.apache.org/struts/browse/SHALE-344?page=comments#action_38925 ]
Craig McClanahan commented on SHALE-344:
----------------------------------------
I've checked in code that makes it possible to filter what resource ids a particular processor will provide (excluded resources return a 404 to provide no information on whether a resource id is nonexistent, or whether it exists but access is being denied). The "out of the box" configuration for classpath resources and webapp resources now prevents access to things like "*.properties".
Still need to add documentation to the website for configuring these restrictions, and to decide what defaults should be defined for the "dynamic" processor that maps resource ids to a public method on a managed bean.
The new code will be available in the 20061201 nightly build, and in the 1.0.4 release when it occurs.
> Remoting does not provide configurable limiting of exposed resources
> --------------------------------------------------------------------
>
> Key: SHALE-344
> URL: http://issues.apache.org/struts/browse/SHALE-344
> Project: Shale
> Issue Type: Bug
> Components: Remoting
> Reporter: Craig McClanahan
> Assigned To: Craig McClanahan
>
> Shale Remoting's current Processor implementations provide limited hard coded limitations on what resources may be accessed (cannot download classpath resources named "*.class", cannot download webapp resources named "/WEB-INF/*"), but they need to provide configurable settings for more fine grain control. In addition, reasonably secure defaults should be provided.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/struts/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira