You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@isis.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/09/12 08:26:34 UTC

[jira] [Commented] (ISIS-846) Enhance ExceptionRecognizer so that the stack trace can be suppressed in certain circumstances (for security)

    [ https://issues.apache.org/jira/browse/ISIS-846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14131164#comment-14131164 ] 

ASF subversion and git services commented on ISIS-846:
------------------------------------------------------

Commit 48694d8e6ada55179aa0d5ce547c3bda126b603e in isis's branch refs/heads/master from [~danhaywood]
[ https://git-wip-us.apache.org/repos/asf?p=isis.git;h=48694d8 ]

ISIS-883, ISIS-885, ISIS-846: prevent user circumventing security by hacking a URL.

for (bookmarked actions), check business rules on execution, throw new ObjectMember.AuthorizationException if fails visibility or usability checks
for entities, if paste in URL, check user has permissions to at least one property or collection, throw AuthorizationException otherwise
for entities, if cannot load object, throw AuthorizationException (avoid disclosing whether the object exists or not)
for error page, if receive AuthorizationException then suppress the stack trace to avoid leaking information to possible attacker

in addition:
- for example todoapp, simplified


> Enhance ExceptionRecognizer so that the stack trace can be suppressed in certain circumstances (for security)
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: ISIS-846
>                 URL: https://issues.apache.org/jira/browse/ISIS-846
>             Project: Isis
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: viewer-wicket-1.6.0, core-1.6.0
>            Reporter: Dan Haywood
>            Assignee: Dan Haywood
>            Priority: Minor
>             Fix For: viewer-wicket-1.7.0, core-1.7.0
>
>
> See http://isis.markmail.org/thread/xrlhfx5xii6ndel4 on the dev list.
> This overlaps (or could) with ISIS-884



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)