You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@camel.apache.org by Aki Yoshida <el...@gmail.com> on 2015/11/10 14:18:43 UTC

Re: [jira] [Commented] (CAMEL-9297) Expose more configuration options from Camel's XStream component

No. The order of calling those allow and deny methods is significant.

See http://x-stream.github.io/security.html#framework
> The sequence of registration is essential. The most recently registered permission will be evaluated first.

And the two test cases in my original patch file demonstrate this behavior.

testAllowAndDeny
testDenyAndAllow

The logic resembles how ACL for for http and some other security
frameworks works and it is not a bad design but just another approach
that does not match well with the two properties approach.

2015-11-10 13:30 GMT+01:00 Claus Ibsen (JIRA) <ji...@apache.org>:
>
>     [ https://issues.apache.org/jira/browse/CAMEL-9297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14998483#comment-14998483 ]
>
> Claus Ibsen commented on CAMEL-9297:
> ------------------------------------
>
> Dont a deny always take precedene over an allow?
>
> So if you do
> {code}
> xstream.denyTypesByExplicitType("com.foo.MySecretModel");
> xstream.denyTypesByExplicitType("com.foo.baz.EvenMoreSecret");
> xstream.allowTypesByWildCard("com.foo.*");
> {code}
>
> or
>
> {code}
> xstream.allowTypesByWildCard("com.foo.*");
> xstream.denyTypesByExplicitType("com.foo.MySecretModel");
> xstream.denyTypesByExplicitType("com.foo.baz.EvenMoreSecret");
> {code}
>
> or
>
> {code}
> xstream.denyTypesByExplicitType("com.foo.MySecretModel");
> xstream.allowTypesByWildCard("com.foo.*");
> xstream.denyTypesByExplicitType("com.foo.baz.EvenMoreSecret");
> {code}
>
> is the same. Otherwise that is really bad IMHO. A deny should always be the strongest.
>
>
>
>> Expose more configuration options from Camel's XStream component
>> ----------------------------------------------------------------
>>
>>                 Key: CAMEL-9297
>>                 URL: https://issues.apache.org/jira/browse/CAMEL-9297
>>             Project: Camel
>>          Issue Type: Improvement
>>          Components: camel-xstream
>>    Affects Versions: 2.16.0, 2.15.4
>>            Reporter: Akitoshi Yoshida
>>            Assignee: Akitoshi Yoshida
>>         Attachments: 0001-CAMEL-9297-Expose-more-configuration-options-from-Ca.patch
>>
>>
>> Currently, some of the configuration options of XStream are only configurable over the XStream API. This means, the user must instantiate an instance of XStream and configure that instance and assign it to Camel's XStream component to configure these options.
>> This patch will add a more convenient way to set these additional options directly over Camel's XStream component.
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.3.4#6332)